Another day, another leak.
Another leak, another entity claiming it’s not real data.
Another leak, another frustrating experience trying to responsibly disclose.
According to Safety Detectives, they found exposed data related to an app called Transact Campus:
Transact Campus’ technology integrates several payment functions into a single mobile platform to power student purchases at higher education institutions. Transact Campus’ services streamline payment processes for students and institutions alike.
An Elasticsearch server containing data related to Transact Campus was left unsecured, without any password protection, and has therefore exposed over 1 million student records.
Both payment and personal information were implicated in the leak:
- Full names
- Email addresses
- Phone numbers
- Login credentials in plain text, incl. usernames and passwords
- Transaction details, incl. amount and time of purchase
- Credit card details (incomplete), incl. 6 first digits (BIN*) and last 4 digits of credit card numbers, expiry dates, and bank details
- Purchased meal plans and meal plan balances
*Note: A Bank Identification Number (BIN) is the first six digits of a payment card number. These numbers identify the card issuer.
But according to Transact Campus, who finally responded more than one month later to attempts to notify them, the leaking server was not under their control and the data weren’t real:
Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data.
But Safety Detectives was apparently not convinced of that, and added a note:
NOTE: We checked a sample of users on the open Elasticsearch and this data seemed to belong to real people.
Read more at Safety Detectives. This sounds like Transact Campus will not be going further with the notification, and who is the third party who might be responsible? And were the data real? It would be great if there was some regulator who, you know, might actually investigate the incident to determine if notifications should be made.