Credit Card Processing Company Exposed 9 Million Transaction Records Online
Credit Card Data Breach
Upon further research there were references to California based Cornerstone Payment Systems. Once we identified the owner of the dataset we immediately sent a responsible disclosure notice and public access was restricted the same day. Cornerstone acted fast and professionally and thanked us for identifying and reporting the exposure. According to their website; Cornerstone West Inc. is a registered independent sales organization (ISO) of Deutsche Bank, USA, New York, NY.
Credit and financial data is highly sensitive due to the fact that a vast majority of cybercrime is financially motivated. If criminals had partial credit card numbers, account or transaction information, names, contacts, and donation comments, they could hypothetically establish a profile on those individuals based on their religious affiliation or causes they are passionate about. These criminals could then launch a highly targeted phishing campaign or social engineering attack. It is estimated that 98% of cyber attacks involve some form of social engineering. This publicly exposed dataset could have been a potential goldmine to cybercriminals to work from.
What the Database Contained:
- Total Number of Records Exposed: 9,098,506
- Folder named “Transactions” : Internal transaction log records that included merchants, users, and customer names, physical addresses and email addresses, phone numbers, and much more. This data could be considered Personally Identifiable Information (PII).