A little-known payments processor, which bills itself as a Christian-friendly company that does “not process credit card transactions for morally objectionable businesses,” left online a database containing years’ worth of customer payment transactions.
The database contained 6.7 million records since 2013, and was updating by the day. But the database was not protected with a password, allowing anyone to look inside.
Security researcher Anurag Sen found the database. TechCrunch identified its owner as Cornerstone Payment Systems, which provides payment processing to ministries, nonprofits and other morally aligned businesses across the U.S., including churches, religious radio personalities and pro-life groups.
A review of a portion of the database showed each record contained payee names, email addresses and in many, but not all, cases, postal addresses. Each record also had the name of the merchant being paid, the card type, the last four digits of the card number and its expiry date.
After TechCrunch contacted Cornerstone, the company pulled the database offline.