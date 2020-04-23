Paay, a New York-based card payments processor, left about 2.5 million credit card transactions publicly exposed for roughly three weeks. The organization forgot to put password protection on the server, allowing anyone to access the data inside. Specifically, the housed data contains plaintext credit card numbers, expiration dates, the amount spent and partially masked copies of each credit card number – cardholder names, CVVs were not included.
Chris DeRamus , Co-founder & CTO, DivvyCloud
April 23, 2020
Companies need to realize that without a holistic approach to security, they open themselves up to undue risk.
According to Paay’s CEO, they spun up and subsequently misconfigured an instance leaving their database of 2.5 million card transaction records exposed to the public without a password. Unfortunately, Paay’s misconfiguration is quite common and we’ve grown used to seeing these data exposures pop up in headlines every couple of weeks. Companies need to realize that without a holistic approach ....According to Paay’s CEO, they spun up and subsequently misconfigured an instance leaving their database of 2.5 million card transaction records exposed to the public without a password. Unfortunately, Paay’s misconfiguration is quite common and we’ve grown used to seeing these data exposures pop up in headlines every couple of weeks. Companies need to realize that without a holistic approach to security, they open themselves up to undue risk. What we have seen from a lot of companies to date, is that their security and compliance practices have been mainly reactive. If they are among the more prepared organizations, their teams will scramble to catch cloud infrastructure misconfigurations, risks, and compliance violations after provisioning or creation (i.e., “at runtime”). However, relying primarily on runtime detection increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing issues. The friction you hear about between security professionals and developers generally stems from a reliance on runtime security which in turn makes it more likely that developers will try to circumvent security altogether, leading to, you guessed it, more misconfigurations. Paay’s exposure of transaction data highlights how developers and security teams should work towards proactively identifying cloud compliance and security issues before cloud resources are deployed. Organizations should not rely solely on runtime security and instead must “shift left” by taking preventative measures early on in their continuous integration (CI) and continuous delivery (CD) pipelines. Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch cloud infrastructure misconfigurations before massive leaks occur.
