Online school payments service WisePay announced that hackers stole the payment card details of parents who used the service to make payments to schools and colleges between 2nd and 5th October.
WisePay advertises itself as a secure online school payments service, allowing parents and guardians to make cashless payments to their school or college. Operating since 2007, WisePay enables fee payments, exam payments, bursary payments, payments for sports activities, as well as meal payments. The firm said it's website facilitated over £500 million in payments by the end of 2017.
Earlier this year, WisePay rebranded itself as the UK’s most flexible payments system in the education market and also launched a new website that, it said, featured clear accessibility, cleaner menus, and a more visually appealing look.
However, it is not clear how secure the website is as the school payments service announced this week that hackers broke into its website between 2nd and 5th October and stole payment card information of parents who made transactions on the website in the four-day period.
According to news reports, the cyber attack began on Friday night and was not noticed by WisePay until 10am on Monday morning, indicating that hackers enjoyed a free run during the weekend. The firm admitted that payments to about 300 schools were affected by the cyber attack, before adding that only a small number of parents were impacted.
Richard Grazier, the managing director of WisePay, told BBC that the affected people were "quite a small subset of users of the platform" as the cashless payments made between October 2nd and 5th, such as exam fees and school meals, were not supposed to be paid on a daily basis.
According to The Register, WisePay pulled its website offline on Monday morning after detecting a "URL manipulation" attempt that involved hackers "spoofing the Sagepay page to capture card details". The website was restored on Wednesday and WisePay told customers that it had engaged a cyber forensic agency to investigate the incident further.
Richard Grazier told the BBC that the hacker, who is yet to be identified, infiltrated WisePay's database and modified a web page to redirect visitors to a fake payment page when they clicked to make a payment. The fake webpage spoofed the legitimate payment page, thereby making it difficult for visitors to identify it as a fake one.
Commenting on the theft of payment card data from WisePay's website, Shlomie Liberow, Technical Program Manager at Hackerone, said that while it is unclear exactly how hackers breached Wisepay, the attack reinforces the need for businesses to continuously test their sites to ensure they are aware of how their software could be exploited.
"There is no silver bullet or quick fix to cyber security, otherwise every business would already be implementing it. But breaches like this drive home the point that every company should have a formal process to ensure continuous testing, this is the only way organisations will be able to stay a step ahead."
According to Anurag Kahol, CTO of Bitglass, companies must deploy security solutions that can prevent data leakage; for example, cloud access security brokers (CASBs) that provide features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and encryption of data at rest. With these types of capabilities, businesses and consumers can be certain that their data is truly secure as they make purchases.
Read More: 99% of top websites vulnerable to Magecart & formjacking attacks