The misconfigured Elasticsearch database apparently belonged to the US-based software solution provider Transact Campus.
SafetyDetectives’ cybersecurity research team led by Anurag Sen identified a misconfigured Elasticsearch server that exposed the data of Transact Campus app. According to their analysis, the server was internet-connected and didn’t need a password to allow access to data.
Resultantly, around 1 million records were leaked, revealing personally identifiable information of over 30,000 to 40,000 students.
About Transact Campus
Transact Campus is an American payment software provider headquartered in Phoenix, Arizona. The company offers technological solutions for integrating versatile payment functions into a single mobile platform.
Its software solutions are mainly used to facilitate student purchases at higher education institutes and streamline payment processes for institutions and students.
What was Exposed?
SafetyDetectives wrote in the report that the 5GB worth of database leaked by the server contained details of students who are account holders at Transact Campus. Most of the impacted individuals are US nationals.
The exposed data included students’
- Full names
- Phone numbers
- Email addresses
- Credit card details
- Transaction details
- Login information (username and passwords), etc.
It is worth noting that the login data, including username and password, was stored in plain text format. On the other hand, the credit card details included the banking identification number, which comprises the first six and last four digits of the credit card number, bank information, and the card’s expiration date. Furthermore, the students’ purchased meal plans and meal plan balance were also part of the leaked data.
Transact Campus’ Response
SafetyDetectives informed Transact Campus about the exposed database in December 2021, and the company replied after over a month in January 2022. However, the details of the incident were only published last week.
During this time, researchers made several attempts to contact them and also contacted US-CERT, after which it was secured. Transact Campus claimed that the leaked server wasn’t under their control and that the data was fake.
“Apparently this was set up by a third party for a demo and was never taken down. We did confirm that the dataset was filled with a fake data set and not using any production data.”
However, SafetyDetectives claim that the server in question was continuously being updated even when it was discovered. They checked the data using publicly available tools and found that it belonged to real people.
Nevertheless, SafetyDetectives and Anurag Sen have a proven track record of identifying and reporting exposed databases and servers to affected parties. Some of their previous reports include the following:
- Cosmetic Giant Natura
- Calgary Parking Authority
- Uganda Security Exchange
- German Shopping Giant Windeln
- Australian Trading Giant ACY Securities
- Brazilian Marketplace Integrator Hariexpress
The list goes on…
Researchers couldn’t identify whether or not unauthorized third parties and malicious actors accessed the database before being secured. In case it was accessed, cybercriminals can target students in various attacks, from scams to phishing and spam marketing, or even carry out account takeover since login credentials were stored in unencrypted form on the server.