Credit Card Data Breach
Upon further research there were references to California based Cornerstone Payment Systems. Once we identified the owner of the dataset we immediately sent a responsible disclosure notice and public access was restricted the same day. Cornerstone acted fast and professionally and thanked us for identifying and reporting the exposure. According to their website; Cornerstone West Inc. is a registered independent sales organization (ISO) of Deutsche Bank, USA, New York, NY.
Credit and financial data is highly sensitive due to the fact that a vast majority of cybercrime is financially motivated. If criminals had partial credit card numbers, account or transaction information, names, contacts, and donation comments, they could hypothetically establish a profile on those individuals based on their religious affiliation or causes they are passionate about. These criminals could then launch a highly targeted phishing campaign or social engineering attack. It is estimated that 98% of cyber attacks involve some form of social engineering. This publicly exposed dataset could have been a potential goldmine to cybercriminals to work from.
What the Database Contained:
- Total Number of Records Exposed: 9,098,506
- Folder named “Transactions” : Internal transaction log records that included merchants, users, and customer names, physical addresses and email addresses, phone numbers, and much more. This data could be considered Personally Identifiable Information (PII).