Sponsored by:

Someone just lost 324k payment records, complete with CVVs

Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post.

I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, there'll be a private disclosure to the company involved. Good journos are very adept at getting answers to these things and when it's going to be a story that hits the news anyway, it ensures there's a way of getting responses from the impacted organisation before it hits the interwebs. Every so often though, we all get left totally stumped as to what actually went on.

Such has been the case recently for a data breach that I'm highly confident is legitimate but nobody wants to "own". I've worked with a couple of different trusted journos who are very good at getting answers but have ultimately been unable to draw the saga to a conclusion, largely because neither of the parties I believe are involved believes the breach originated from them. So I'm just going to write about the whole thing here, lay the facts out as they stand then see if anyone wants to own it once the details are public.

It all began with this tweet a couple of months ago on 10 July:

0x2Taylor Tweet

This isn't an embedded tweet because it has since been deleted. However, that happened more than a month later which was plenty of time for people to access the alleged BlueSnap database on the Mega hosting service before that link was also disabled. I grabbed a copy of it for later review then headed off on travels, not returning to look at it properly until late August.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities. BlueSnap was founded in Israel back in 2001 where it was originally known as Plimus (both of these facts have later relevance I'll come back to). It was later acquired in 2011 for $115M and rebranded as BlueSnap which is both the present day trading name and the alleged source of the breach in 0x2Taylor's tweet.

Obviously the first thing anyone is going to do when verifying a data breach is look at the contents so here's what I found: The data is in a single file named "Bluesnap_324K_Payments.txt" and as the name suggests, it has 324,380 rows in it with a total of 105k unique email addresses. The first transaction is on 10 March 2014, the last on 20 May 2016. Each row appears to be a payment record which looks like this:

Sample payment record

The grey obfuscation is personal information relating to an Have I been pwned (HIBP) subscriber who assisted me with the verification process. The red obfuscation is card data and the arrow points to the "security-code" field which is the CVV. This is the CVV too but again, I'll come back to that.

This is actually only a small porting of the row, in fact it's a mere 14% of the entire record. Every row begins with "0x2Taylor" and contains pipe delimited values along with XML you see above. I've actually decoded a portion of this; the original file included encoding as follows:

\u003ccard-type\u003eVISA\u003c/card-type\u003e

Which decodes as follows:

<card-type>VISA</card-type>

This gives us a bit of a sense of where the data may have been used as the encoding could be used in the JavaScript context.

The other clue in the file here is the word "Plimus" which as you'll recall, was the name BlueSnap went by before 2011. That's two positive indicators of the source but they're also easily fabricated indicators and I wanted some hard facts. So I asked for them.

I've just passed 700k verified subscribers to HIBP, that is people who've come to the site, added their email address to the free notification service then received a confirmation email and clicked on the link to opt in. These are people who are interested in their exposure online, exactly the sort of exposure that this breach here has led to. What I do these days when I need to verify a data breach that's a bit harder than usual or is particularly sensitive is email some of the most recent HIBP subscribers who are in the alleged data breach and ask them if they're willing to assist in verifying the incident. When they respond (and it's always a positive response because they're naturally curious), I send them an email with questions along these lines:

  1. Do you live on [redacted]?
  2. Did you have a Visa card that expired in [redacted]?
  3. There is a purchase against your record from 2014-06-15 for the value of $160 USD; do you recognise the name beginning with "JCC-Maccabi-Games"? This is possibly the service you paid.
  4. This may be a harder one given the card has expired, but if you recall, did the CVV end with the number [redacted]?

Let's talk about that CVV for a moment. The Card Verification Value is an extremely important piece of data because it's used to verify the card in scenarios where it's not present, such as when making an online purchase. When the retailer requests the CVV, it means that even if someone has your card number and expiry, without that 3 or 4 digit code the data should be useless as far as making online purchases go. For example, if a database of transactions is leaked then so long as there's no CVV then the cards should be useless on any site that requests it (most do, Amazon is a notable exception to this). When the CVV is in the hands of a malicious party, the very mechanism that was put in place to protect consumers in "card not present" scenarios falls apart. PCI DSS is very clear about how the CVV (or CVV2 as it is these days) should be stored:

Technical Guidelines for PCI Data Storage

It shouldn't be stored and that's what makes this breach such a big issue. Violation of PCI DSS guidelines can lead to pretty serious fines and even loss of merchant facilities; the card providers take this very seriously. I take it seriously as well which is why I also asked HIBP subscribers to verify their CVV by providing me with an additional digit to avoid any confirmation bias (I didn't want them just answering "yes" to each of my questions). It checked out - this is the CVV.

I still wanted to be certain the transactions themselves were clear though but it was tricky to identify the actual source from the raw data alone. The one indicator of the source that was present in the file was an attribute named "soft-descriptor" which in the example above was "JCC-Maccabi-Games". I wondered initially whether this might just be a case of one particular site losing a bunch of data, that was until I aggregated the attribute and looked at the spread of records. In total, there were 899 unique values with the top 20 by prevalence appearing as follows:

  1. EntourageManageme : 6299
  2. regpackclients : 6084
  3. Kidventure : 3728
  4. METNY2015201 : 2660
  5. Group-RX-New-Camp : 2535
  6. Wild-Whatcom : 2453
  7. CampKeeTov2016 : 2232
  8. garinusa : 2178
  9. JCC-Maccabi-Games : 2163
  10. USY-Summer-Program : 2088
  11. AvaAndersonNonT : 2005
  12. National-College-T : 1986
  13. High-Sierra-Pools : 1919
  14. Dedicated-To-Learn : 1846
  15. METNY-2014-2015 : 1761
  16. Dedicated-to-Learn : 1717
  17. EastBaySPCA : 1700
  18. SanDomenicoSummerC : 1684
  19. SAEP : 1642
  20. USY-International : 1548

The record I was looking at was merely the 9th most common result, clearly there were many others involved too. But it still wasn't clear precisely what these websites were nor what was purchased from them. The answer to that lie further down in the data within a Plimus URL formatted as follows:

https://www.plimus.com/jsp/show_invoice.jsp?ref=[redacted]

As the URL suggests, this then takes you through to an online invoice like this:

BlueSnap invoice

There are many interesting things about the invoice, the first of which is that it obviously identifies BlueSnap quite clearly both by virtue of their brand and the Plimus URL. It also matches the individual's identity and address from the data breach file which goes a long way to establishing authenticity. Then we can see the website itself where the payment was made which is at jcca.org. The site has a donation page complete with a payment form:

Payment form o the JCC Association website

As you can see, the logo clearly indicates that this is "Secure Credit Card Processing"...

There's nothing on the site or the structure of the payment form that indicates BlueSnap though and it looks as though the integration with the payment provider is done entirely on the server side without exposing that information publicly. But there was another piece of information on the invoice which didn't initially stand out at me and only later piqued my interest after another HIBP subscriber made this comment:

I still have the conformation email (a Summer Camp). It referenced http://www.regpacks.com so that might be a possible source too.

Now this is interesting because the invoice in the earlier image refers to a support email address on the regpacks.com domain. Regpack offers a registration service and part of the feature set is this:

Receive payments during registration rather than post-registration

Dealing with payment info is serious business so they also offer some assurances as to their security position:

Regpack bulletproof security

Another piece of relevant information on the Regpack website is a list of just a few of their customers, including JCC Maccabi Games:

Regpack customers

Every single HIBP subscriber I contacted had an invoice referencing a Regpack email address for support. It was looking more and more like they were taking the registrations then passing them downstream to BlueSnap for payment processing. In fact, that's precisely what was happening and it was easily verified via a press release a few years ago:

Waltham, Mass.---April 2, 2013---BlueSnap™, the most flexible and advanced buying platform for online companies selling goods and services over the web and mobile, today announced that Regpack, a global online enrollment platform serving the private education industry, has selected BlueSnap to process the financial transactions for its online enrollments. Regpack integrates with BlueSnap’s flexible and advanced payments platform to provide a complete enrollment and payments solution for organizations such as private schools, camps, educational tourism, faith community organizations, seminars and professional conferences.

In that press release, the Regpack CEO goes on to say:

Moreover, BlueSnap’s strict security measures for online transactions mean that we can use BlueSnap to process payments and conduct business without going through the expense of becoming PCI-compliant level one on our own.

Now by this stage you'd think the whole thing was wrapped up; either Regpack or BlueSnap have had a data breach and leaked a few hundred thousand transactions replete with partial card data and CVVs. The problem is though, neither party believes the breach came from them. I worked with two separate journalists on this and they both had feedback from BlueSnap and Regpack suggesting another party was responsible. I also reached out to them both yesterday for comment and got this from BlueSnap:

Based on an investigation we initiated as soon as we heard about the data set, we hired a top PCI-certified Incident Response firm. Based on that investigation we confirmed that BlueSnap did not experience a system breach or any data loss.

And got this from Regpack:

As a preventive measure, we ran a full forensic investigation and it has concluded that there was no data breach on Regpack servers. In spite of that, we have run the full security protocol implemented in these cases and conclusively determined that our servers were not involved.

Personally, I see indicators implicating both of them. On those that point to BlueSnap losing the data, there's the name of the file itself and 0x2Taylor's original assertion that it came from them in the first place. The file wasn't named "Regpack_324K_Payments.txt", it was BlueSnap's name in there and whilst a file name alone is not proof of an incident, it's an indicator. Then there's the nature of the sites that were involved; when I checked with HIBP subscribers, we identified sources such as the Jewish Community Centers Association of North America mentioned above, Liberal Judaism and Passages America Israel. There were other non-Jewish organisations involved as well (such as the East Bay SPCA), but it's hard to ignore the coincidence of the organisation being implicated as having lost the card data to have its origins in Israel then see such a prevalence of Jewish websites using their services. But then again, they all had Regpack support email addresses on them, so onto them...

Regpack's name is associated with every one of the HIBP subscribers I contacted. I'd expect that if BlueSnap was the source of the breach then we'd be seeing a mix of downstream consumers in the file, unless they store the data in such a way that Regpack's records are isolated from other customers and they alone got breached. Another indicator pointing to Regpack as the source of the incident is that per the statement above, they don't need to be PCI complaint and thus haven't gone through the rigour of audits. (Edit: I've put a strike through this because the CEO's comment was around level one PCI compliance. Regpack may be compliant with a lower level requiring less rigour.) Now by no means does merely being PCI compliant guarantee a breach won't happen, but when the transgressions are as egregious as storing the CVV, something is majorly amiss. And finally, "regpackclients" features as the second most common "soft-descriptor" in the earlier bulleted list with over 6k entries. That's slightly odd because there are many other descriptors which then have invoices referring Regpack's email address for support, but it's yet another indicator of how heavily they feature in the data.

Now it's possible that the data has come from another unnamed party, but it's highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn't have been there. We've got 899 totally separate consumers of the Regpack service (so it's not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I'm missing a fundamental piece of the workflow (and I'm certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.

Lastly, just to absolutely, positively avoid any remaining doubt that this is a legitimate data breach, let me share a collection of responses from HIBP subscribers (note also the responses regarding the CVV):

Address is correct and yes I did have a card that expired in 2014

That all seems right

Yes, that information is correct

I had a Visa card ending in 10 and I am pretty sure it expired in 2013

Yes, we do have a visa that expires in 2020, and yes the CVV ends in 8

This is genuine information that you have provided

I don’t know how they got the CVV either

So that's where it stands at the moment - it's highly likely that either BlueSnap or Regpack lost the data - but frankly, I'm more concerned about those who have their info floating around the web which includes:

  1. Names
  2. Physical addresses
  3. Email addresses
  4. IP Addresses
  5. Phone numbers
  6. Last 4 digits of their credit cards (remember, this is identity verification data and it's enormously useful for hijacking accounts)
  7. CVV
  8. Online invoices which then include details of their purchases

These people need to know that their data was posted publicly to Twitter and none of us have any idea how many people now have it. They need to cancel impacted cards (full card data wasn't leaked, but refer to the link above re partial data being used to hijack accounts) and be aware that their personal info has been exposed. The sites using these facilities also need to be notified because they're the ones that have the relationship with the customers. This requires the cooperation of BlueSnap and Regpack, the former of which is still hosting those invoices publicly on the plimus.com domain where anyone who has the invoice numbers from the breach can simply enumerate them and pull down even more personal data. It may not be a pleasant experience for them, but they need to step up and take responsibility.

I've now loaded all 105k email addresses into HIBP so if you think you may have been impacted, you can search for your address on the site. I've indicated that it's a BlueSnap breach and linked through to this post simply because that's the name it was represented as but will change that if it's determined otherwise. Right now the priority should be in supporting those whose personal data has been disclosed and attribution can follow later.

Update 1 (12 hours later): I've had further feedback from BlueSnap who remain adamant the data hasn't come from them and have issued the statement below to their merchants. I've asked point-blank if they believe Regpack is the source of the breach and will post an update here if there's any feedback I can share. As yet, I don't believe the individuals in the breach whose data is been publicly circulated have been notified by either party.

BlueSnap memo to merchants

Update 2 (24 hours after initial post): There's been a lot of discussion on this incident both in the comments below and via email. A number of people have said they've reached out to Regpack and received responses indicating that they weren't the source of the breach and offering little support beyond there. I want to reiterate a few immutable facts:

  1. The data in the breach is legitimate and contains personal information
  2. There are hundreds of thousands of transactions out in the wild including details on over 100k customers
  3. The data contains the last four digits of the card which are frequently used for identity verification purposes
  4. The data contains the CVV which should never have been stored by anyone
  5. BlueSnap has known about the incident since at least the 21st of August
  6. Regpack has known about the incident since at least the 26th of August
  7. Websites who had customer data exposed were using the services of Regpack
  8. Regpack may not have lost the data, but they're accountable to their customers which means the sites using their service
  9. As yet, to the best of my knowledge those impacted in the data breach have not been notified and that includes both websites using Regpack and customers who made purchases

Given there's still no resolution to this and neither BlueSnap nor Regpack believe they're responsible, I'm listing all 899 "soft-descriptor" values below complete with the number of transactions each has in descending order (these are the websites using the Regpack service). If your site is amongst that list and you're concerned for your customers, contact the organisation you sent the transaction to as they're the party you have the relationship with and entrusted with the data.

  1. EntourageManageme : 6299
  2. regpackclients : 6084
  3. Kidventure : 3728
  4. METNY2015201 : 2660
  5. Group-RX-New-Camp : 2535
  6. Wild-Whatcom : 2453
  7. CampKeeTov2016 : 2232
  8. garinusa : 2178
  9. JCC-Maccabi-Games : 2163
  10. USY-Summer-Program : 2088
  11. AvaAndersonNonT : 2005
  12. National-College-T : 1986
  13. High-Sierra-Pools : 1919
  14. Dedicated-To-Learn : 1846
  15. METNY-2014-2015 : 1761
  16. Dedicated-to-Learn : 1717
  17. EastBaySPCA : 1700
  18. SanDomenicoSummerC : 1684
  19. SAEP : 1642
  20. USY-International : 1548
  21. ssoregistration : 1479
  22. WildWhatcom : 1475
  23. yjevents : 1403
  24. CampKeeTov2015 : 1397
  25. Pantano-Christian : 1377
  26. TAPROOTNATUREEXPER : 1232
  27. aardvarkisrael : 1224
  28. Jackson-Sports-Aca : 1203
  29. DBatMustangs : 1151
  30. Mda-Israel-Program : 1148
  31. JacksonSportsAcade : 1121
  32. MissionBaySport : 1064
  33. PantanoChristian : 1058
  34. ElDoradoMusical : 1032
  35. CWRU : 1023
  36. USYSummerProgram : 1004
  37. DanceTheatre : 967
  38. ServeCamp : 965
  39. Saint-Helens-scho : 927
  40. BrightMindsYouth : 924
  41. Northwest-Hydroele : 922
  42. CreativeAction : 910
  43. shevettapuach : 872
  44. Young-Judaea-Year : 866
  45. ArtTime : 864
  46. USYInternational : 860
  47. SAEP2016 : 856
  48. Matthew13Catholi : 852
  49. North-Texas-Confer : 817
  50. real-life-summer-c : 799
  51. Hanegev2015-2016 : 799
  52. Camp-Kee-Tov-2014 : 786
  53. Shasta-Community-C : 777
  54. METNY : 773
  55. ReggaeRunnerz : 767
  56. Seaboard2015 : 742
  57. DANCE411 : 740
  58. OPEF2016SummerB : 736
  59. Gilbert-High-Schoo : 725
  60. L3X : 721
  61. D2L2016-Walnut : 721
  62. ShastaCommunityC : 704
  63. ArizonaScienceCe : 701
  64. MagnificatHighSc : 689
  65. OPEF-BASE-Camp-201 : 674
  66. grinnellcollege : 659
  67. D2L2016-Diamond : 655
  68. Hagalil20152 : 654
  69. HS-uniform-fees : 648
  70. El-Dorado-Musical : 648
  71. Saint-Helens-Schoo : 643
  72. artomatic : 639
  73. garin : 636
  74. WildfishRegistrat : 635
  75. ParksPlusCreatio : 625
  76. NorthTexasConfer : 625
  77. SAN-JOAQUIN : 617
  78. EMTZA-Staff-2014-2 : 614
  79. Hanegev-2014-2015 : 606
  80. teamworksdogtraini : 602
  81. CampCardiac : 602
  82. BergenCommunityC : 602
  83. American-Pavilion : 600
  84. tzofimcvk : 571
  85. Group-RX : 571
  86. BBYO-UK : 564
  87. YoungJudaeaYear : 562
  88. MdaIsraelProgram : 558
  89. Juneau-Dance-Theat : 557
  90. BASE-Camp-2014 : 548
  91. VISnet-2014 : 539
  92. Stonewall-Columbus : 536
  93. camp-liberty : 536
  94. LaurensKids : 532
  95. WesternSocietyfo : 528
  96. iedesign : 525
  97. wujs : 503
  98. camp-liberty2016 : 494
  99. LimmudNY2016 : 482
  100. visnet : 480
  101. PENINSULACOLLEGE : 479
  102. CRUSY-2014-2015 : 479
  103. CourtsForKids : 479
  104. Saint Helen's scho : 479
  105. Field-Institute-of : 478
  106. Seaboard-2014-2015 : 475
  107. CampKeeTov2014 : 473
  108. EMTZA2015-2016 : 472
  109. Master-Russian-pro : 469
  110. HighSierraPools : 463
  111. MuseumoftheBibl : 462
  112. 1870Farm : 460
  113. SummerCollegeTra : 460
  114. LIMMUDNY : 459
  115. DistrictVIICDA : 456
  116. USY-EMTZA : 442
  117. UniversityCitySwim : 439
  118. KidsCreativeAdve : 431
  119. Young-Judaea-Amiri : 430
  120. BACC-Camp : 427
  121. CHUSY2015-2016 : 427
  122. Young-Judaea-Summe : 420
  123. VISnet2014 : 410
  124. DoctorDevelopment : 399
  125. JCCMaccabiGames : 397
  126. METNY-2015-201 : 393
  127. SWUSY2015-2016 : 393
  128. nativ : 392
  129. CRUSY2015-2016 : 390
  130. BuildingMinds : 386
  131. Parks-Plus-Creatio : 383
  132. Kids-and-Culture-C : 379
  133. CHUSY-2014-2015 : 377
  134. Wild What : 374
  135. RockyMountainBir : 373
  136. SanDomenicoAfter : 372
  137. One-Love-Training : 371
  138. SaintHelensSchoo : 370
  139. Needham-Millis-Dan : 369
  140. Songleader-Boot-Ca : 368
  141. 3CrossesCamp2016 : 359
  142. Southwest-District : 358
  143. FZYTour2016 : 356
  144. JCCMaccabi2016- : 355
  145. JTerm : 351
  146. Nevada-City-CA : 350
  147. ibc : 349
  148. NERUSY201520 : 344
  149. XavierHighSchool : 343
  150. JewishBookCounci : 338
  151. Jivamukti-Yoga-Wil : 337
  152. FOOTSTEPSFORFERTIL : 334
  153. Dance411Rental : 332
  154. NewFrontier2015- : 332
  155. SaintHelensBaske : 328
  156. CampGideon : 327
  157. NORTHERNMOVEME : 326
  158. Camp-Eagle : 326
  159. RythersAspiringY : 322
  160. DBatsHSuniform : 320
  161. Hagesher2015 : 318
  162. XavieriPadSale : 316
  163. IASSIST : 312
  164. CH-USY : 310
  165. SummerShowoffs : 310
  166. Hope-Girls-Basketb : 308
  167. Jewish-Book-Counci : 306
  168. USYKadimamember : 305
  169. USY International : 305
  170. Newton-Inspires-20 : 300
  171. regpack_clients : 299
  172. CampTaylorHearts : 298
  173. Hagesher-2014-2015 : 297
  174. Soccerstlmo : 297
  175. Jivamukti-Yoga-New : 295
  176. DramaLearningof : 285
  177. Southeast-Student : 282
  178. homeschoolcampus : 281
  179. SWUSY-2014-2015 : 275
  180. Northwest-Technica : 274
  181. FZYTour : 272
  182. OurLadyofGoodC : 272
  183. Hagalil-2014-2015 : 270
  184. BACCCamp : 264
  185. 3Crosses-Camp : 262
  186. Israel Reform Move : 262
  187. NorthwestTechnica : 260
  188. WashingtonIrving : 257
  189. ColoradoEducation : 257
  190. COMMUNITYOFCHRIST : 256
  191. Grace-North-Church : 254
  192. SCRA Group Lessons : 254
  193. EmersonWaldorfSc : 253
  194. mmea : 251
  195. Bali-Institute : 245
  196. Menlo-Park-Legends : 244
  197. ACSportsAcademy : 244
  198. Art-Time : 243
  199. WildernessExperie : 243
  200. Ramah-2015-Summer : 236
  201. Sway-Youth-Enrichm : 235
  202. Hi-Tech-Learning : 232
  203. CAConsultingLLC : 232
  204. Camp-Taylor-Hearts : 230
  205. Israel-Reform-Move : 229
  206. SW-USY : 227
  207. OurLadyMotherofthe : 226
  208. WMtrainingandevent : 225
  209. Liberal-Judaism-Ev : 224
  210. YJyearroundreg : 224
  211. NewHeights : 224
  212. greenedventures : 223
  213. JuneauDanceTheat : 223
  214. nyoda : 221
  215. TurtleHillEvents : 220
  216. IslamicWeekendSc : 219
  217. WildfishTheatreS : 216
  218. FZY-Tour-2015 : 215
  219. SouthwestDistrict : 215
  220. CuyahogaValleyCh : 213
  221. PortCityCommunit : 208
  222. Southern-Connectic : 206
  223. PooleofFineArts : 206
  224. Cuyahoga-Valley-Ch : 205
  225. Hi-TechLearning : 205
  226. Group RX : 205
  227. SCRA Private lesso : 204
  228. Northern-Movement : 203
  229. GroupRXNewCamp : 203
  230. FreestyleLanguage : 203
  231. HitchcockCenterF : 199
  232. New-Frontier-2014- : 198
  233. FieldInstituteof : 194
  234. GilbertHighSchoo : 192
  235. D2L2016-Suzanne : 191
  236. CarolyneBarryAct : 190
  237. Mapleton City - Ra : 189
  238. Rye-PTA : 189
  239. FarWest2015-2016 : 189
  240. BBYOUK : 188
  241. IndianapolisBarA : 188
  242. Cycon : 186
  243. New-Heights : 186
  244. Soccerstlmo2016 : 186
  245. Klein-United-Metho : 185
  246. Walk-Your-Path-Wel : 184
  247. WingraBoatsSumme : 181
  248. Wildheart-Nature-S : 180
  249. Hope-Basketball-Ca : 179
  250. Camp-del-Corazon : 177
  251. Hitchcock-Center-F : 177
  252. Mt-Tabor-Summer-Ba : 177
  253. Tzafon201520 : 177
  254. USY-Pinwheel : 176
  255. Notre-Dame-of-Mt : 175
  256. TechSmart Kids : 175
  257. catesol-2016-san-d : 174
  258. OPEF-Build-Day-201 : 173
  259. LincolnSchoolPTO : 171
  260. USY-Leadership-Pro : 170
  261. CommunityEnvironm : 170
  262. Cambridge-EllisSc : 169
  263. WoodsHumaneSocie : 169
  264. BoysGirlsClubs : 168
  265. JesseHelmsCenter : 165
  266. YoungJudaeaSumme : 164
  267. CampEagle2016 : 164
  268. D2L2016-Chaparr : 164
  269. PIP : 163
  270. SCRA-Group-Lessons : 162
  271. MasaTlalim : 162
  272. Saint Helens Year : 162
  273. LighthouseForthe : 162
  274. catesol-2016-la-co : 162
  275. YoungJudaeaYearCou : 161
  276. Broadway-Bootcamp : 159
  277. YoungJudaeaAmiri : 159
  278. OCA2016Conventio : 158
  279. ConservativeYeshiv : 156
  280. OPEFBuild4Good : 156
  281. 2015-Camp-del-Cora : 155
  282. OPEF-Gadget-Day-20 : 155
  283. Galilean-Bible-Cam : 154
  284. l3x : 154
  285. EMS-and-Healthcare : 154
  286. SCRAGroupLessons : 153
  287. Camp-Gideon : 153
  288. marva : 151
  289. AnimalFriends : 151
  290. The-Circle-School : 149
  291. NERUSY-2014-2015 : 149
  292. Animal-Friends : 149
  293. BionRegionalSymp : 149
  294. Saint-Helens-Year : 147
  295. JYTT-India-2015 : 145
  296. Rosarian-Academy : 145
  297. Jivamukti-Yoga : 143
  298. WESLEYANCHURCH : 142
  299. yj_events : 141
  300. ccofSummer2016 : 141
  301. MarquardtSchoolD : 138
  302. TheHomeOwnership : 136
  303. 2016CampdelCora : 136
  304. RamahIsrael : 135
  305. Hudson-Valley-Rib : 135
  306. StonewallColumbus : 134
  307. Liberal-Judaism-Ca : 132
  308. SCRAPrivateLessons : 131
  309. AMHCA : 131
  310. NorthernMovement : 131
  311. NoamMasortiSummerc : 130
  312. SLBC2016 : 130
  313. Dance-411-Summer-2 : 128
  314. Pinwheel-2014-2015 : 128
  315. ZebrafishHusbandr : 128
  316. Master Russian pro : 126
  317. Camp-Moonlight : 125
  318. SCU : 125
  319. AWS-Detroit : 123
  320. OakHillMontessor : 121
  321. Tichon-Ramah-Yerus : 119
  322. HopeGirlsBasketb : 119
  323. EMS and Healthcare : 119
  324. Courts-For-Kids : 118
  325. DoulaTrainingsIn : 117
  326. ChoreographyFesti : 117
  327. Rocky-Mountain-Bir : 116
  328. LiberalJudaismCa : 116
  329. knowledgecrossingb : 116
  330. RosarianAcademyS : 116
  331. McCallum-Theatres : 115
  332. Camp-Sunrise : 115
  333. HVRF2016 : 115
  334. BethEl5776 : 114
  335. TK20 : 113
  336. Camp-Gan-Israel- : 112
  337. KeystoneDiabetic : 112
  338. JYTT-Costa-Rica-20 : 111
  339. Canterbury-School : 110
  340. OmiInternational : 110
  341. TheIndependentSc : 110
  342. catesol-2016-north : 110
  343. BroadwayBootcamp : 107
  344. Dance411Staff : 107
  345. USPostalService : 107
  346. BLax : 107
  347. CEF-of-Fargo-and-M : 105
  348. EPA20152016 : 105
  349. BYP100 : 104
  350. Tzafon-2014-2015 : 103
  351. FICEAustria : 102
  352. YoungJudaeaWUJS : 101
  353. HooglandCenterFo : 101
  354. Hanefesh2015 : 100
  355. SlowFoodNewOrle : 100
  356. camp_gan_israel : 96
  357. Dance-411-Staff : 95
  358. ISL Futbol : 95
  359. PlaycreationsKids : 95
  360. BeachesEpiscopal : 95
  361. EPA-2014-2015 : 94
  362. MasterRussianpro : 94
  363. Mda Israel Program : 93
  364. ZestfulGardens : 93
  365. SCRA-Private-lesso : 92
  366. CanterburySchool : 92
  367. Village-Academy : 90
  368. HPCS2016 : 90
  369. YoungCodersAcade : 89
  370. VistaSchoolingan : 89
  371. NewNebConference : 88
  372. 3CrossesCamp : 88
  373. PacificIntegral : 88
  374. Pinwheel2015-2016 : 88
  375. Beth-El-School-Reg : 86
  376. Doula-Trainings-In : 85
  377. USYLeadershipPro : 85
  378. Ramah-2014-Summer : 84
  379. TheRingBoxingCl : 83
  380. EvolveVolleyball : 83
  381. Dance 411 Camp : 83
  382. Ramah2016Summer : 81
  383. Hope Girls Basketb : 81
  384. Bios : 81
  385. SpartanburgDaySc : 81
  386. Hanefesh-2014-2015 : 80
  387. CASFM : 79
  388. Winterblast : 78
  389. MtTaborSummerM : 78
  390. Snider-Mountain-Ra : 76
  391. NotreDameofMt : 76
  392. Db-Skim-Camp : 75
  393. BethElSchoolReg : 75
  394. JYTTINDIA2016 : 75
  395. GraceNorthFamily : 75
  396. TheChurchofthe : 75
  397. Mars-Global-Summit : 74
  398. PensionPro-Confere : 74
  399. Seaboard-2015- : 74
  400. itf_ie : 74
  401. NeedhamMillisDan : 72
  402. goodwillevents : 71
  403. Sway Youth Enrichm : 71
  404. AUJS : 70
  405. PacificIntegralR : 70
  406. CollegePrepCamp : 70
  407. GloucesterCommuni : 70
  408. BaliInstitute : 69
  409. JYTTCOSTARICA20 : 69
  410. Race-Corps : 68
  411. Maase-Olam-ITF : 68
  412. CampMoonlight201 : 68
  413. Dance-Versity : 67
  414. WAM : 67
  415. NationalAssociati : 67
  416. BBYO UK : 66
  417. YoungJudaeaCLIP : 66
  418. GCBC-Guelph-Comm : 65
  419. Overflow-Prophetic : 65
  420. BASECampArboretu : 65
  421. UtahSuzukiHarpI : 65
  422. RamahIsraelInsti : 64
  423. San-Domenico-After : 62
  424. Mobile-Bay-Sailing : 62
  425. WildheartNatureS : 62
  426. mda : 62
  427. OaklandInterfaith : 62
  428. NorthwestHydroele : 61
  429. AC-Sports-Academy : 59
  430. CampEagle : 59
  431. VillageAcademy : 59
  432. SleepTreatmentCo : 59
  433. Great-Lakes-Econom : 57
  434. The Circle School : 57
  435. SCAMedicalMissio : 57
  436. luselandbiblecamp : 56
  437. TheCircleSchool : 56
  438. MaaseOlamITF : 56
  439. Aspire Soccer Camp : 56
  440. USY-ECRUSY : 56
  441. USY Leadership Pro : 55
  442. Ramah-Jerusalem-Da : 54
  443. CollegiateWomens : 54
  444. TichonRamahYerus : 54
  445. Mabee-GerrerMuseu : 54
  446. PACEApplication2 : 54
  447. YoungJudaeaShalem2 : 53
  448. Northeast Epi Conf : 53
  449. american_sokol : 52
  450. CampCardiacNeuro : 52
  451. Temple Bnai Jeshur : 51
  452. SacredHeart-Shi : 51
  453. Lipkin-Tours : 50
  454. Hagalil-2015-2 : 50
  455. GalileanBibleCam : 50
  456. Camp-Gailor-Maxon : 49
  457. GarinTzabar : 49
  458. 2020-Technologies : 48
  459. HopeBoysBasketba : 48
  460. TzabarPolin : 47
  461. SpokaneINWAPSI : 47
  462. St-Andrews-Bay-Ya : 46
  463. OPAConvention2016 : 46
  464. CorpusChristiChu : 45
  465. DanceVersity : 45
  466. USYAlumni : 45
  467. IxlAcademy : 44
  468. TheFoodBusiness : 44
  469. WISEFORESTPRE : 43
  470. Camp-Experience : 43
  471. Liberal Judaism Ca : 43
  472. SantaMonicaLittleL : 41
  473. Willow-Springs-Cam : 41
  474. ScruplesSymposium : 41
  475. WestSideStudio : 41
  476. CEF of Fargo and M : 41
  477. Brian Jordan Camps : 41
  478. LagniappeAssociat : 41
  479. CrestmontCamp : 41
  480. RAMAHISRAEL : 40
  481. Ramah-Israel-Insti : 40
  482. Ixl-Academy : 40
  483. Friendship-Caravan : 39
  484. PACE-Application-2 : 38
  485. ierimon : 38
  486. The-Food-Business : 38
  487. Game-On-Sports : 38
  488. Vermont Infectious : 38
  489. CH USY : 38
  490. ktantanim : 37
  491. Crosslink-Meadows : 37
  492. MBP EA Conference : 37
  493. Young-Judaea-Shale : 36
  494. LFFPPeaceLeadersPr : 36
  495. KidsandCultureC : 36
  496. ForestHillsField : 36
  497. Pioneers Camp : 36
  498. Maase Olam ITF : 36
  499. WalkYourPathWel : 35
  500. CampKeeTov2013 : 35
  501. USY Summer Program : 35
  502. Northeast-Epi-Conf : 34
  503. Christ-Church : 34
  504. WomenWorkinginC : 34
  505. Clubcorp : 34
  506. Hagesher-2015- : 33
  507. garin_usa : 33
  508. CadillacLaSalleClu : 33
  509. CHUSYAnnualBenef : 33
  510. FZY-Camp-2015 : 32
  511. Collegiate-Womens : 32
  512. goodwillslp : 32
  513. YoungJudaeaOnwar : 32
  514. CSAKarateCamp : 32
  515. camp-yavneh : 31
  516. CEF2015 : 31
  517. IdeaCampRio : 31
  518. KarenPickettLMFT : 30
  519. ProyectoFeIntern : 30
  520. OPEF Base Camp 201 : 30
  521. ie_design : 30
  522. Kappa-Sigma-5k-Tro : 30
  523. SupportabilitiesF : 30
  524. Santa-Monica-Littl : 29
  525. Hope Basketball Ca : 29
  526. ClearconnectSolut : 29
  527. ALACCABibleCamp : 29
  528. NSTEP-Study-Buddy : 28
  529. Qverity : 28
  530. CampSunrise : 28
  531. HanegevStaff : 28
  532. campganisrael : 28
  533. CampWildcraft : 28
  534. HEICFellowsCours : 27
  535. TTS-Certification : 26
  536. Young-Judaea-Onwar : 26
  537. Onward-Israel-Gree : 26
  538. RosarianAcademy : 26
  539. StAndrewsBayYa : 26
  540. USY - EMTZA : 26
  541. Northfield-Confere : 26
  542. 1870Farm-Presch : 26
  543. SWUSY-Staff : 25
  544. MaaseOlam : 25
  545. ArtisticallyMe : 25
  546. Habitat for Humani : 24
  547. FZYKesher2016 : 24
  548. GoTechCamp : 24
  549. FreedomSchool : 24
  550. HarvesterChristia : 24
  551. shnatsherut : 23
  552. Santa Monica Littl : 23
  553. shevet_tapuach : 23
  554. Aspire-Soccer-Camp : 23
  555. OnwardIsraelGree : 23
  556. StrongwaterSwim : 23
  557. Camp-KidsTown : 22
  558. SWAMIVIVEKANANDA : 22
  559. ACNM : 22
  560. Kenosee-Lake-Bible : 22
  561. DbSkimCamp : 22
  562. TheWordChurch : 22
  563. EnvironmentalVolu : 22
  564. ACNM2016 : 22
  565. AnimatheForumF : 22
  566. JYTT-Germany-2015 : 21
  567. Prepare-Yourself-C : 21
  568. GraceNorthChurch : 21
  569. MtTaborSummerBa : 21
  570. RamahJerusalemDa : 21
  571. LimmudFest2016 : 21
  572. SW USY : 20
  573. Tichon Ramah Yerus : 20
  574. Vermont-Infectious : 20
  575. GOTS2016 : 20
  576. AWSDetroitLadies : 20
  577. AllenAcademy : 20
  578. TTSCertification : 19
  579. NewtonInspires20 : 19
  580. Dance Versity : 19
  581. Splash Bartow 2013 : 19
  582. USY Pinwheel : 19
  583. TechSmart-Kids : 19
  584. goodwilledp : 19
  585. ComposedEssays : 19
  586. Sewickley-Academy : 18
  587. HudsonValleyRib : 18
  588. American Pavilion : 18
  589. YoungJudaeaSummerP : 18
  590. ATSuccessLondonS : 18
  591. fzycamp : 17
  592. WholisticLearning : 17
  593. Shalomlearning : 17
  594. Artstream : 17
  595. METNY2016201 : 17
  596. USY-EMTZA-Staff : 16
  597. GCBCBOATING : 16
  598. Veida : 16
  599. Tzafon-2015-20 : 16
  600. 2015CampdelCora : 16
  601. CampMoonlight : 16
  602. JYTTGermany2015 : 16
  603. SWUSYStaff : 16
  604. YoungJudaeaAmirim2 : 16
  605. Dance411Camp : 16
  606. Baden-PowellNorth : 16
  607. GrowAGeneration : 16
  608. Hanegev-Staff : 15
  609. NERUSY-2015-20 : 15
  610. USY - ECRUSY : 15
  611. FZY-Year-Course-20 : 14
  612. Pacific-Integral : 14
  613. CrosslinkMeadows : 14
  614. MobileBaySailing : 14
  615. FZYYearCourse20 : 14
  616. Ramah 2014 Summer : 14
  617. FZYVeida2016 : 14
  618. International-Law : 13
  619. FZY-Events : 13
  620. PBC-Church-Registr : 13
  621. PensionProConfere : 13
  622. EMTZAStaff : 13
  623. Songleader Boot Ca : 13
  624. JH Ranch - Decembe : 13
  625. OneLoveTraining : 12
  626. GameOnSports : 12
  627. tzofim_cvk : 12
  628. YoungJudaeaFood : 12
  629. WorldLanguagePro : 12
  630. itfie : 11
  631. Customer-Love : 11
  632. COLLEGECERT : 11
  633. PBC-Camp-Registrat : 11
  634. CEFofFargoandM : 11
  635. FriendshipCaravan : 11
  636. JH-Ranch-Decembe : 11
  637. SacredHeart-Cam : 11
  638. CampGideon-Volu : 10
  639. betar-wingate : 10
  640. CampLookout : 10
  641. CoachTBasketball : 10
  642. Pinwheel-2013-2014 : 9
  643. GTO : 9
  644. InSync Volleyball : 9
  645. ChelseaYachtClub : 9
  646. fzyyearcourse : 8
  647. KolAmi : 8
  648. Hanegev-Staff-2014 : 8
  649. Hanefesh-2015- : 8
  650. IXLAcademy2016 : 8
  651. TheSchoolofBasketb : 7
  652. SWUSY-Staff-2014-2 : 7
  653. BIGR-AU : 7
  654. Muscolo-Meat-Acade : 7
  655. Zebrafish-Husbandr : 7
  656. SouthernConnectic : 7
  657. AFSIntercultural : 7
  658. MDP : 7
  659. IsraelTeenFellow : 7
  660. catesol-2016-annua : 7
  661. FZY-H-2013 : 6
  662. Summer-College-Tra : 6
  663. EMTZA-2015-2016 : 6
  664. NationalCollegeT : 6
  665. SummerAdultTrips : 6
  666. green_edventures : 6
  667. CrystalaireAdvent : 6
  668. HolidayShow-Offs : 6
  669. Sportstyme-Jupit : 6
  670. GO-ART-BOX : 5
  671. EPA-2015-2016 : 5
  672. SWUSY-2015-2016 : 5
  673. AutomicUniversity : 5
  674. IslamicAssociatio : 5
  675. fzy_camp : 5
  676. FZY H+ 2013 : 5
  677. Wild-What : 5
  678. ICCA-Membership-Du : 5
  679. Dbat-Mustangs-HS : 5
  680. FamilySystemSpo : 5
  681. GloucesterCounty : 5
  682. cwa : 5
  683. Camp-Gideon-Volu : 4
  684. PBCCampRegistrat : 4
  685. Dbat Mustangs - HS : 4
  686. fzy_yearcourse : 4
  687. ramah_high_school : 4
  688. SummerDelegation : 4
  689. FZYHadrachaPlus : 4
  690. KingdomWorkersSp : 4
  691. RaMessut : 4
  692. Click-Connect : 3
  693. Summer-Delegation : 3
  694. EMTZA-Staff : 3
  695. MassaFrance : 3
  696. PBCChurchRegistr : 3
  697. WiseYoungBuilder : 3
  698. IdaTeam : 3
  699. StaffordTechnical : 3
  700. shnat_sherut : 3
  701. Christ Church : 3
  702. Hagalil20162 : 3
  703. ATRRM : 3
  704. MissionSquash : 3
  705. Innovative-Academi : 2
  706. Bumble-ABC : 2
  707. A-Little-Culture : 2
  708. Noam-Masorti-Summe : 2
  709. YWCO : 2
  710. Keytana : 2
  711. CHUSY-2013-2014 : 2
  712. Wise-Young-Builder : 2
  713. Real-Life : 2
  714. 33rd-FICE-CONGRESS : 2
  715. Ramah2015Summer : 2
  716. OPEFBASECamp201 : 2
  717. FZYTour2015 : 2
  718. SportScienceFunS : 2
  719. Artomatic : 2
  720. yj_yearcourse : 2
  721. ramah_summer_semin : 2
  722. SplashBartow : 2
  723. l3x2012 : 2
  724. Rye PTA : 2
  725. israelchallenge : 2
  726. ienachshon : 2
  727. ramahhighschool : 2
  728. FortClarkston : 2
  729. UnitedSecurityTr : 2
  730. FZYKeytana2016 : 2
  731. SanFranciscoRecr : 2
  732. GrinnellCollege : 2
  733. HighroadConsultin : 2
  734. CertifiedSiteSaf : 2
  735. ChristsChurchof : 2
  736. AWSGolfOuting : 2
  737. JYCostaRicaAlumni : 1
  738. OURLADYMOTHER : 1
  739. ALASKA-NEW-MEDIA : 1
  740. ALASKATECHNICAL : 1
  741. COURTIER-INSPECT : 1
  742. N-DEPTH-RESP : 1
  743. Camp-Nyoda : 1
  744. L3X-2014 : 1
  745. COURT-SENTINEL : 1
  746. Central-Union-AS : 1
  747. Young-Judaea-Famil : 1
  748. Legacy-Soccer-Acad : 1
  749. Camp-Kee-Tov-2015 : 1
  750. SportScience-Fun-S : 1
  751. Stone-Mountain-Adv : 1
  752. newtoninspires20 : 1
  753. Stratford-Camp : 1
  754. AC-Flight-Lacros : 1
  755. ramahyouth : 1
  756. PBC-Individual-Reg : 1
  757. Camp-Liberty : 1
  758. The-Center-For-Wil : 1
  759. StemTree : 1
  760. Thinking-Outside-T : 1
  761. McCallum-Theatre : 1
  762. Ramah-2016-Summer : 1
  763. FPX-Conference : 1
  764. Einsteins-Workshop : 1
  765. Noahs-Ark-Zoo-and : 1
  766. Mr-D-Math : 1
  767. Western-Society-fo : 1
  768. Refreshing-Lives : 1
  769. River-City-FC : 1
  770. FZY-Hadracha-Plus : 1
  771. Palmetto-Engineeri : 1
  772. North-Georgia-Home : 1
  773. McCallum-Theatre-T : 1
  774. SLBC-2016 : 1
  775. Strongwater-Swim : 1
  776. Young-Coders-Acade : 1
  777. Hanegev-2015-2016 : 1
  778. CHUSY-2015-2016 : 1
  779. You-Give-It-We-Gr : 1
  780. Acts-World-Relief : 1
  781. Mindful-Leadership : 1
  782. Automic-University : 1
  783. Mabee-Gerrer-Museu : 1
  784. Child-Care-Council : 1
  785. FZYCamp2015 : 1
  786. CampGanIsrael- : 1
  787. USYMembership : 1
  788. WildfishTheatre : 1
  789. USYUploads : 1
  790. InternationalUSY : 1
  791. AmericanDanceIns : 1
  792. SewickleyAcademy : 1
  793. MuscoloMeatAcade : 1
  794. CRUSY2014-2015 : 1
  795. ECRUSY2015-2016 : 1
  796. OPEFBASECampFie : 1
  797. FortClarkton : 1
  798. CyliaHarrietFoun : 1
  799. JacobusConsulting : 1
  800. McCallumTheatreD : 1
  801. KidzNPlay : 1
  802. WestMetroFireRe : 1
  803. LifeSafetyDivisi : 1
  804. Ktantanim2015-201 : 1
  805. JDECRegistration : 1
  806. WMtrainingcenter : 1
  807. McCallumTheatres : 1
  808. TeamworksDogTrai : 1
  809. SouthwestVermont : 1
  810. MemphisTheologica : 1
  811. E-Rive : 1
  812. yj_summer : 1
  813. ie_rimon : 1
  814. israel_challenge : 1
  815. JH History Makers : 1
  816. LCFOilers : 1
  817. ICCA Conferences : 1
  818. Innovative Academi : 1
  819. yj_shalem : 1
  820. SWUSY Staff : 1
  821. L3X 2013 : 1
  822. shevettapuach2012 : 1
  823. College-Hockey-Exp : 1
  824. Student-Education : 1
  825. OPEF-Day-Camp-2013 : 1
  826. tigermma : 1
  827. Camp-Jano-India : 1
  828. Maccabi-games : 1
  829. Florida-Flyers : 1
  830. shevettapuach2014 : 1
  831. Artisul : 1
  832. DanceMissionYout : 1
  833. AWSDetroitChrist : 1
  834. WaynefleteInc : 1
  835. InternationalGlov : 1
  836. JacksonSportsAca : 1
  837. CATESOL2016Annua : 1
  838. AFA : 1
  839. Curtissandbox : 1
  840. CampRamahIsrael : 1
  841. CumberlandCounty : 1
  842. FZYWUJSSpring20 : 1
  843. FZYAmirim2016 : 1
  844. CampLiberty2016 : 1
  845. PilgrimCamp : 1
  846. Armed2Defend : 1
  847. HopeBasketballCa : 1
  848. WBRTR-Runners : 1
  849. WorldWarBrick : 1
  850. DistrictSummitRe : 1
  851. FreedomSchoolPar : 1
  852. LutheranChurchof : 1
  853. PanforkBaptistEn : 1
  854. CATESOL2016North : 1
  855. SantaClaraUniver : 1
  856. GalileanRetreat : 1
  857. Spokane-AVIDIns : 1
  858. TitanRobotics : 1
  859. KingdomWorkers : 1
  860. ArmedServicesYMC : 1
  861. CIS-HPCS : 1
  862. CaliforniaWorkfor : 1
  863. SkySummerCamp : 1
  864. CIS-CTS : 1
  865. TheBlackEconomic : 1
  866. Sportstyme-Welli : 1
  867. Sportstyme-Winte : 1
  868. CHUSY2016201 : 1
  869. CRUSY2016201 : 1
  870. Emtza2016201 : 1
  871. WUSY20162017 : 1
  872. VSSDance : 1
  873. EPAHagesher2016 : 1
  874. HanefeshNERUSY2 : 1
  875. HaNegev2016-201 : 1
  876. NewFrontier2016 : 1
  877. Pinwheel2016 : 1
  878. Seaboard2016 : 1
  879. Tzafon2016-2017 : 1
  880. WildfishTheatreJ : 1
  881. ProLevelTraining : 1
  882. MinnesotaMusicEd : 1
  883. FarWest2016 : 1
  884. GlobalWritersIns : 1
  885. KidsIntheGame : 1
  886. JumpStart : 1
  887. YoungJudaeaAlumn : 1
  888. KidVenture-Aftersc : 1
  889. SEFOF : 1
  890. McCallumTheatreT : 1
  891. MtCarmelMusicF : 1
  892. AWSDetroit : 1
  893. StoneMountainAdv : 1
  894. CampArrahWanna : 1
  895. CampSonburst : 1
  896. FrestaValley : 1
  897. KieslingAssociate : 1
  898. 2016-2017WinterB : 1
  899. Medinformatix : 1

Update 3 (a day and a half after initial post):

I've had further communication with both BlueSnap and Regpack since writing this post and the source of the data has now been identified as originating from Regpack. Let me share a statement from them here:

Further to the article Troy Hunt published both Regpack and BlueSnap have looked into the presented data loss. Reviewing the post by Troy Hunt assisted our engineers in reaching this conclusion: 

Regpack has confirmed that all payments information passed to the payment processor is encrypted on its databases. Nonetheless, periodically, this information is decrypted and kept internally for analysis purposes. We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss. This was identified by our teams going back and reviewing some of the log files as indicated in the blog discussion post.  We have changed our approach to handling this data and are confident that this one-time mistake will not occur again.

To reiterate our security stance:

1. The source of the data loss was a procedural human error.
2. Neither Regpack nor BlueSnap had our systems breached. This has been confirmed by independent forensic experts retained by each company after the initial data loss. As a further security measure, RegPack has rebuilt all servers and run full security scans on the new servers. 
3. Both Regpack and BlueSnap have conducted thorough reviews of the environments and found that all systems are secure.
4. Regpack and Bluesnap have updated all internal security procedures and processes to ensure that no data can leave internal environments.  This will prevent the loss we saw in this case.

Regpack is notifying vendors whose customers were potentially affected so they can make the appropriate communications.

Obviously they now have various processes to go through including reaching out to impacted customers who will in turn need to contact their customers (the ones who made the purchases) and notify them of the data exposure. I've just updated HIBP to reflect the source of the data as being Regpack and adjusted the description accordingly.

If you run a website that uses Regpack services then you should hear from them directly. If you believe that your personal information was exposed then you should hear from the site you provided it to (yes, I know they didn't lose the data but that's the chain of relationships here).

Thank you to everyone who commented and provided input on this post, I'm glad the source has now been identified and steps can be taken to protect those who were exposed.

Security
Tweet Post Share Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals