Government Payment Service Inc., a company that offers a service called GovPayNow used by U.S. state and local governments, exposed 14 million records online.

Discovered by security researcher Brian Krebs and revealed Tuesday, the breach included names, addresses, phone numbers and the last four digits of the payer’s credit card going back six years. It was all exposed by the company failing to secure them, leaving them open for anyone to access.

Often these stories include a misconfigured cloud instance, but in this case, it was a coding error that allowed anyone to change the number in the URL created by a receipt on the service to view other receipts.

The company confirmed the issue. It said in a statement that “GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients.” It added that it has “no indication that any improperly accessed information was used to harm any customer.”

Jeannie Warner, security manager at WhiteHat Security Inc., told SiliconANGLE that vulnerabilities and weaknesses in websites are incredibly common, with many businesses unaware of the risk factors in their websites.

“In the case of GovPayNow.com, which is used by thousands of government agencies across 35 states, lax security could have exposed a great deal of PII — customer names, addresses, phone numbers and the last four digits of their credit cards — to any adversary, taking advantage of common web vulnerabilities,” Warner said.

Checkmarx Inc. Chief Technology Officer Matthew Rose said the breach is yet another example of how a small security oversight can jeopardize software and leave millions of end users exposed, paving the way for more sophisticated phishing attacks in the future.

“The larger threat occurs when hackers use the initial information collected to reach out to individuals and ask them to either verify their purchase or re-enter their information to confirm a purchase,” he said. That, he explained, is one way to get a more complete set of personal user data that can then be used in much more sophisticated activities such as opening new credit cards, getting mortgages or even filing false tax returns in their name.

“This breach, and others like it, continue to occur because software security is still not being implemented correctly,” Rose added. “In fact, the GovPayNow breach was a direct result of an application doing exactly what it was supposed to in terms of intended functionality but also functioning in unanticipated ways. Multiple security checks in the application need to verify that the correct information is displayed to the correct user.”

Image: 111692634@N04/Flickr