Cornerstone Payment Systems Leaked 6.7M Records

leaked data

Recently, Cornerstone payment processing company was found failing to protect its database containing credit card transactions. The Cornerstone Payment System handles payments to churches, government agencies, and other Christian-like organizations. However, the company’s database containing years of customer payment transactions has recently been exposed online. The database contains 6.7 million records since 2013 and is updated daily. As the database is not password-protected, anyone can view it through the Internet.

Cornerstone payment processing company processes credit and debit card transactions on behalf of businesses. A review of a portion of the database revealed that each record contained the payee name, email address, and in many cases, but not all, the postal address. Each record also contains the name of the merchant to pay, the type of card, the last four digits of the card number, and its expiration date. The data also contains specific transaction dates and times. Each record also indicates whether the payment was successful or rejected. Some records also contain notes from customers, often describing the purpose of the payment, such as a donation or memorial. Despite some tokenized evidence, a way to replace sensitive information with unique alphanumeric strings, the database itself is not encrypted.

Researchers used some email addresses found in the database to contact many of the affected customers. Two people who found their names and transactions in the database confirmed that their information was correct. After researchers contacted Cornerstone, the company took the database offline and claimed that Cornerstone Payment Systems has secured access to all servers as Cornerstone Payment Systems does not store complete credit card or check data. In addition, Cornerstone stated that they have implemented enhanced security measures to lock all URLs, and they are currently reviewing all logs for any potential access. Cornerstone did not disclose whether state regulators were notified of the security breach; however, it is a requirement under California’s data breach notification law.



Contact LIFARS Immediately if Your

Organization was Hit with a Data Breach