A database with 2.5 million credit card transactions belonging to New York mobile payments solutions provider PAAY LLC has been found exposed online.

Discovered and revealed today by security researcher Anurag Sen, the database included credit card numbers, expiration dates and amount spent dating back to Sept. 1. The database did not include cardholder name or card verification values, somewhat limiting the usefulness of the data to hackers.

The data is said to have been exposed online for at least three weeks until it was taken offline after TechCrunch contacted the company. PAAY admitted that a database belonging to it had been accidentally exposed but disputed the claim that the database included credit card numbers.

“On April 3, we spun up a new instance on a service we are currently in the process of deprecating,” PAAY co-founder Yitz Mendlowitz said. “An error was made that left that database exposed without a password.”

Although not confirmed, it would appear to be yet another case of a company failing to properly secure a cloud-hosted database. The list of companies who have exposed data in this way is extraordinarily long, although cases have dropped off in 2020 as security awareness around the issue continues to improve.

“PAAY offers a service as a third-party middleman between two banks by providing an additional security layer for the transactions but unfortunately leaves all records exposed without passwords and vulnerable to attacks,” Robert Prigge, chief executive officer of identity verifications solutions company Jumio Corp., told SiliconANGLE. “It’s important for banks of all sizes only rely on vendors and third parties that are PCI-compliant and come equipped with the necessary security and certifications to keep customers protected.”

Passwords in general can no longer be trusted to keep sensitive data safe in today’s fraud environment, Prigge said.

“The timing of this breach also couldn’t be worse for victims as storefronts are closed amid the global health pandemic and more purchases are made online,” he said. “Impacted users are at greater risk for cybercriminals using exposed credentials to make fraudulent purchases.”

Instead of passwords, he added, artificial intelligence is the key. “Coupled with facial authentication using a person’s unique biological characteristics to confirm identity, AI ensures a cardholder is who they say they are when making an online purchase,” he said.

Image: PAAY