Timely Cybernews intervention helps protect PayDo customers’ financial data


In an ongoing race, cybercriminals and security researchers relentlessly scan the web for vulnerabilities, each driven by different motivations. Cybernews was the first to discover an unprotected instance containing financial customer data, and our timely intervention helped protect customers of PayDo, a payment processor. Here are the lessons learned.

On August 27th, the Cybernews research team discovered a public-facing Elasticsearch instance containing millions of entries of sensitive financial information. Elasticsearch is a commonly used tool for searching, analyzing, and visualizing large volumes of data.

The researchers quickly realized that the instance belonged to PayDo, a payment provider serving the gaming, e-commerce, entertainment, and other industries.

ADVERTISEMENT

It appeared that the instance was left open inadvertently, and the company later confirmed that.

This incident could have caused major damage to the company and its customers. Fortunately, it seems that no one else accessed the data, as confirmed by third-party auditors.

Yet, it is a good opportunity to learn from others’ mistakes.

Konstancija Gasaityte profile Linas Kmieliauskas Ernestas Naprys Stefanie
Don’t miss our latest stories on Google News

What happened?

“During the migration of our Elasticsearch service from one AWS account to another, a configuration error occurred, resulting in data becoming publicly accessible. We discovered that the issue arose from incorrect IP address configurations at the firewall level,” the spokesperson for PayDo explains.

Later, a detailed investigation revealed that this issue was caused by human error rather than a systematic problem.

The company analyzed the AWS logs and monitoring and did not find any anomalies that could indicate that data could have been downloaded by anyone. It also provided a third-party security audit report confirming that no data leaks were detected.

ADVERTISEMENT

What data was at risk?

The exposed instance contained almost 40GB of sensitive financial data. The 30 indices in it included the following:

  • Personal data related to over 20 million transactions, such as names, email addresses, and IP addresses.
  • Partial payment information for over two million transactions, including purchased items, partial payment information such as credit card bin numbers, last four digits, and cardholder name.
  • Over 58 million KYC process log entries, including customer names, addresses, dates of birth, bank account numbers, ID numbers, document numbers, and driver's license numbers. Scans and photos of documents were secured with authentication.

The actual number of potentially impacted people is significantly smaller than the number of entries. Separate logs were generated in each of the multiple stages of checkout, payment, and KYC verification procedures.

checkout-order

What did the company do to protect customers?

PayDo took proactive steps to safeguard the data and customers. It also transparently disclosed the incident.

“Although the incident is unlikely to cause any harm to our customers, we have already disclosed the matter to the relevant authorities to maintain our high compliance and integrity standards,” PayDo said.

A thorough internal and independent external research confirmed to PayDo that no customer data has been exploited and no damage has been caused to customers. The initial steps included the following:

  • The DevOps team conducted a thorough analysis of event logs and AWS monitoring (specifically CloudWatch, CloudTrail, and VPC Flow Logs), which allows for the detection of any activities, such as large volumes of downloads. After this analysis, no anomalies were found, indicating that no data downloads occurred.
  • An external cybersecurity provider conducted an independent analysis of data breach tracking. According to their analysis, no signs of data leakage have been detected as of the 23rd of October, 2024. “This confirms that an independent expert evaluation also found no security issues in the system,” PayDo said.
  • Additional verification through third-party services, such as “Have I Been Pwned” and others, revealed no evidence that any data had been compromised or publicly exposed. The company did not receive any contacts from any malicious actors, which is typical when they obtain sensitive data.
ADVERTISEMENT

To address current challenges, PayDo has also established a robust action plan to improve cybersecurity posture:

  • Upgrading of the Security Operations Center (SOC).
  • Rollout of predictive MDR (Managed Detection and Response) System
  • Introduction of the Bug Bounty Program in 2025.
  • Automation of data breach detection and system availability monitoring.
  • Improvement of the Change Management and Quality Assurance processes.
  • Maintaining a dedicated communication line for bugs and data leak reports.

How dangerous was a potential impact?

PayDo assures that certain crucial data points “were not at any risk at any time,” including user passwords, security tokens, full credit card information, customer documents, account statements and balances, or communications with PayDo.

“In case of unlikely misuse of temporarily exposed data points, customers bear moderate levels of potential threats, which could include exposure to spam and/or phishing emails. Potentially exposed financial data would not be sufficient to compromise access to customers' cards and accounts,” the company said.

However, Cybernews researchers warn that for cybercriminals, the exposed dataset still would be a bonanza.

“The information was detailed, and the potential impact could be devastating for many individuals. Part of the transactions in the database can be considered as ‘higher-risk’ related to gaming or gambling online. If cybercriminals had found the database first, they would hit a list of perfect potential victims,” Cybernews researchers say.

Malicious actors could use any exposed information for various purposes, including sending spam, phishing, identity theft, and fraud on a large scale. These are just low-hanging fruits.

“Cybercriminals are creative at implementing new social engineering schemes and campaigns. They combine data from various leaks for credential stuffing attacks, attempt to take over social media and other accounts and sell the data on the dark web to other cybercriminals who may attempt to move laterally within networks. This could lead to more sophisticated attacks,” our researchers said.

PayDo is an electronic money institution that has been operating since 2017. It serves both the B2B and B2C markets, collaborates with 28 industries, and operates in over 140 countries. The brand is owned by Ecommerce Technologies Ltd, which is registered in the UK.

ADVERTISEMENT

It is a relatively small firm. According to the public filings, Ecommerce Technologies (PayDo) generated 4.7 million British Pounds ($6.1 million) in revenue and GBP 1.2 million ($1.56 million) in profit in the financial year 2023.

Lesson 1: keep communication channels open

Cybernews researchers sent the initial disclosure email on August 28th to a CEO’s email that they found online. However, after a few follow-ups, they could not get a response until they repeated the disclosure email to an alternate email address on September 18th. This delayed the response for a few weeks.

“Make sure to include easily accessible contact information for external security researchers on your website,” the researchers said. “Establishing a dedicated line for security disclosures or a bug bounty can save valuable time in passing information and responding effectively.”

Lesson 2: protect and sanitize instances

Any cybersecurity incident is bad on its own. However, payment institutions must adhere to stricter regulations.

PayDo claims to be compliant with PCI DSS (Payment Card Industry Data Security Standard), which is an information security standard used to protect cardholder data from major card brands. PCI DSS includes many compliance requirements, such as building and maintaining secure networks and systems, protecting cardholder data, and maintaining various advanced security measures.

“This leak confirms the importance of properly following industry compliance standards and certifications. Having sensitive information in logs is a poor security practice. Sensitive personal information must be properly access-controlled, encrypted, and obfuscated or omitted wherever possible,” the researchers said.

Cybernews researchers recommend sanitizing the logs to remove personal and financial information, conducting an audit to uncover other potential vulnerabilities, and ensuring compliance with relevant standards such as PCI-DSS and 3D Secure.

Lesson 3: transparency and effective mitigation are key

ADVERTISEMENT

PayDo took proactive steps to ensure the safety and security of its customers and investigate the root causes of the incident.

“We have duly informed our customers of the incident, providing an easy-to-understand explanation of what happened and how they might be affected. We specifically pointed out potential threats and established a dedicated helpline for additional support,” the company said.

Timely collaboration and mitigation reduced the risk of a larger exposure from happening.

“According to the Information Commissioner's office, human error is a leading cause of reported data breaches, which, for us, is by no means justification for its occurrence,” PayDo said. “While none of our customers are currently affected by the incident, our concern and attention to the matter does not diminish, and we continue supporting our customers.”

If PayDo customers notice any suspicious spam or phishing attempts, the company suggests contacting them immediately at [email protected] and/or [email protected].

Lesson 4: predict human errors

As detailed above, PayDo plans to implement procedures and tools that could prevent future human errors, which are inevitable. Every organization dealing with sensitive user data should establish prevention systems limiting potential outcomes.

Those include stricter access control limits, more secure default configurations (for example, blocking everything by default, requiring intentional configuration changes when needed), active asset monitoring, and inventorization.

Disclosure timeline

  • August 27th, 2024: Leak discovered.
  • August 28th, 2024: Initial disclosure email sent and multiple follow-up emails.
  • September 18th, 2024: Disclosure email sent to alternative email address.
  • September 20th, 2024: Instances closed to the public.
ADVERTISEMENT