A little-known payments processor, which bills itself as a Christian-friendly company that does “not process credit card transactions for morally objectionable businesses,” left a database containing years’ worth of customer payment transactions online.
The database contained 6.7 million records since 2013, and was updating by the day. But the database was not protected with a password, allowing anyone to look inside.
Security researcher Anurag Sen found the database. TechCrunch identified its owner as Cornerstone Payment Systems, which provides payment processing to ministries, non-profits, and other morally aligned businesses across the U.S., including churches, religious radio personalities, and pro-life groups.
Payment processors handle credit and debit card transactions on behalf of a business.
A review of a portion of the database showed each record contained payee names, email addresses, and in many but not all cases postal addresses. Each record also had the name of the merchant who is being paid, the card type, the last four-digits of the card number, and its expiry date.
The data also contained specific dates and times of the transaction. Each record also indicated if a payment was successful or if it was declined. Some of the records also contained notes from the customer, often describing what the payment was for — such as a donation or a commemoration.
Although there was some evidence of tokenization — a way of replacing sensitive information with a unique string of letters and numbers — the database itself was not encrypted.
We used some of the email addresses to contact a number of affected customers. Two people whose names and transactions were found in the database confirmed their information was accurate.
After TechCrunch contacted Cornerstone, the company pulled the database offline.
“Cornerstone Payment Systems has secured all server access,” said spokesperson Tony Adamo.
“It is vital to note that Cornerstone Payment Systems does not store complete credit card data or check data. We have put in place enhanced security measures locking down all URLs. We are currently reviewing all logs for any potential access,” he added.
Cornerstone did not say if it will inform state regulators of the security lapse, which it’s required to do under California state’s data breach notification laws.