#Privacy: More than 2.5 million credit card transactions exposed

A database containing one of the largest collections of credit card numbers has been discovered.

Security Discover researcher, Jeremiah Fowler, had initially discovered a database in February 2019, belonging to the Nigerian based Electronic Settlements Limited.

Electronic Settlements Limited is the parent company of CashEnvoy, PayPad and many more companies.  

The database contained over 8 million records and after the company had been notified by Fowler, they acted fast and closed public access. However, when the company was asked whether they had notified their users, merchants, or partners, the company simply stopped responding. 

“We did not publish our discovery at that time as a professional courtesy and because of how concerned they appeared to be before they ignored all communication and went silent,” said Fowler. 

On October 17, a second database containing 2.59 million credit and debit card transaction data was discovered. 

“This is one of the largest collections of credit card numbers I have ever seen and the worst part was that only a small portion of the actual number was encrypted.”

The second database was set to open and therefore was publicly accessible for anyone to view, edit, download, or even delete data without administrative credentials. In addition, IP addresses, Ports, Pathways, and storage information was discovered – all of which can be exploited by threat actors to access deeper into the network. 

“Technology companies even in emerging markets must do more to protect the data they collect and store on their users and partners.” 

The worst part of this whole incident is that Electronic Settlements Limited already had a wake up call which they clearly ignored. 

“User data is valuable no matter where you are from or who you are and this discovery highlights the need for organizations to put the same focus on data security as they do on profits are revenue.”

It remains unknown if Electronic Settlements Limited has notified the relevant authorities, or impacted users.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/