Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post.

I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, there'll be a private disclosure to the company involved. Good journos are very adept at getting answers to these things and when it's going to be a story that hits the news anyway, it ensures there's a way of getting responses from the impacted organisation before it hits the interwebs. Every so often though, we all get left totally stumped as to what actually went on.

Such has been the case recently for a data breach that I'm highly confident is legitimate but nobody wants to "own". I've worked with a couple of different trusted journos who are very good at getting answers but have ultimately been unable to draw the saga to a conclusion, largely because neither of the parties I believe are involved believes the breach originated from them. So I'm just going to write about the whole thing here, lay the facts out as they stand then see if anyone wants to own it once the details are public.

It all began with this tweet a couple of months ago on 10 July:

This isn't an embedded tweet because it has since been deleted. However, that happened more than a month later which was plenty of time for people to access the alleged BlueSnap database on the Mega hosting service before that link was also disabled. I grabbed a copy of it for later review then headed off on travels, not returning to look at it properly until late August.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities. BlueSnap was founded in Israel back in 2001 where it was originally known as Plimus (both of these facts have later relevance I'll come back to). It was later acquired in 2011 for $115M and rebranded as BlueSnap which is both the present day trading name and the alleged source of the breach in 0x2Taylor's tweet.

Obviously the first thing anyone is going to do when verifying a data breach is look at the contents so here's what I found: The data is in a single file named "Bluesnap_324K_Payments.txt" and as the name suggests, it has 324,380 rows in it with a total of 105k unique email addresses. The first transaction is on 10 March 2014, the last on 20 May 2016. Each row appears to be a payment record which looks like this:

The grey obfuscation is personal information relating to an Have I been pwned (HIBP) subscriber who assisted me with the verification process. The red obfuscation is card data and the arrow points to the "security-code" field which is the CVV. This is the CVV too but again, I'll come back to that.

This is actually only a small porting of the row, in fact it's a mere 14% of the entire record. Every row begins with "0x2Taylor" and contains pipe delimited values along with XML you see above. I've actually decoded a portion of this; the original file included encoding as follows:

\u003ccard-type\u003eVISA\u003c/card-type\u003e

Which decodes as follows:

<card-type>VISA</card-type>

This gives us a bit of a sense of where the data may have been used as the encoding could be used in the JavaScript context.

The other clue in the file here is the word "Plimus" which as you'll recall, was the name BlueSnap went by before 2011. That's two positive indicators of the source but they're also easily fabricated indicators and I wanted some hard facts. So I asked for them.

I've just passed 700k verified subscribers to HIBP, that is people who've come to the site, added their email address to the free notification service then received a confirmation email and clicked on the link to opt in. These are people who are interested in their exposure online, exactly the sort of exposure that this breach here has led to. What I do these days when I need to verify a data breach that's a bit harder than usual or is particularly sensitive is email some of the most recent HIBP subscribers who are in the alleged data breach and ask them if they're willing to assist in verifying the incident. When they respond (and it's always a positive response because they're naturally curious), I send them an email with questions along these lines:

Do you live on [redacted]? Did you have a Visa card that expired in [redacted]? There is a purchase against your record from 2014-06-15 for the value of $160 USD; do you recognise the name beginning with "JCC-Maccabi-Games"? This is possibly the service you paid. This may be a harder one given the card has expired, but if you recall, did the CVV end with the number [redacted]?

Let's talk about that CVV for a moment. The Card Verification Value is an extremely important piece of data because it's used to verify the card in scenarios where it's not present, such as when making an online purchase. When the retailer requests the CVV, it means that even if someone has your card number and expiry, without that 3 or 4 digit code the data should be useless as far as making online purchases go. For example, if a database of transactions is leaked then so long as there's no CVV then the cards should be useless on any site that requests it (most do, Amazon is a notable exception to this). When the CVV is in the hands of a malicious party, the very mechanism that was put in place to protect consumers in "card not present" scenarios falls apart. PCI DSS is very clear about how the CVV (or CVV2 as it is these days) should be stored:

It shouldn't be stored and that's what makes this breach such a big issue. Violation of PCI DSS guidelines can lead to pretty serious fines and even loss of merchant facilities; the card providers take this very seriously. I take it seriously as well which is why I also asked HIBP subscribers to verify their CVV by providing me with an additional digit to avoid any confirmation bias (I didn't want them just answering "yes" to each of my questions). It checked out - this is the CVV.

I still wanted to be certain the transactions themselves were clear though but it was tricky to identify the actual source from the raw data alone. The one indicator of the source that was present in the file was an attribute named "soft-descriptor" which in the example above was "JCC-Maccabi-Games". I wondered initially whether this might just be a case of one particular site losing a bunch of data, that was until I aggregated the attribute and looked at the spread of records. In total, there were 899 unique values with the top 20 by prevalence appearing as follows:

EntourageManageme : 6299

regpackclients : 6084

Kidventure : 3728

METNY2015201 : 2660

Group-RX-New-Camp : 2535

Wild-Whatcom : 2453

CampKeeTov2016 : 2232

garinusa : 2178

JCC-Maccabi-Games : 2163

USY-Summer-Program : 2088

AvaAndersonNonT : 2005

National-College-T : 1986

High-Sierra-Pools : 1919

Dedicated-To-Learn : 1846

METNY-2014-2015 : 1761

Dedicated-to-Learn : 1717

EastBaySPCA : 1700

SanDomenicoSummerC : 1684

SAEP : 1642

USY-International : 1548

The record I was looking at was merely the 9th most common result, clearly there were many others involved too. But it still wasn't clear precisely what these websites were nor what was purchased from them. The answer to that lie further down in the data within a Plimus URL formatted as follows:

https://www.plimus.com/jsp/show_invoice.jsp?ref=[redacted]

As the URL suggests, this then takes you through to an online invoice like this:

There are many interesting things about the invoice, the first of which is that it obviously identifies BlueSnap quite clearly both by virtue of their brand and the Plimus URL. It also matches the individual's identity and address from the data breach file which goes a long way to establishing authenticity. Then we can see the website itself where the payment was made which is at jcca.org. The site has a donation page complete with a payment form:

As you can see, the logo clearly indicates that this is "Secure Credit Card Processing"...

There's nothing on the site or the structure of the payment form that indicates BlueSnap though and it looks as though the integration with the payment provider is done entirely on the server side without exposing that information publicly. But there was another piece of information on the invoice which didn't initially stand out at me and only later piqued my interest after another HIBP subscriber made this comment:

I still have the conformation email (a Summer Camp). It referenced http://www.regpacks.com so that might be a possible source too.

Now this is interesting because the invoice in the earlier image refers to a support email address on the regpacks.com domain. Regpack offers a registration service and part of the feature set is this:

Receive payments during registration rather than post-registration

Dealing with payment info is serious business so they also offer some assurances as to their security position:

Another piece of relevant information on the Regpack website is a list of just a few of their customers, including JCC Maccabi Games:

Every single HIBP subscriber I contacted had an invoice referencing a Regpack email address for support. It was looking more and more like they were taking the registrations then passing them downstream to BlueSnap for payment processing. In fact, that's precisely what was happening and it was easily verified via a press release a few years ago:

Waltham, Mass.---April 2, 2013---BlueSnap™, the most flexible and advanced buying platform for online companies selling goods and services over the web and mobile, today announced that Regpack, a global online enrollment platform serving the private education industry, has selected BlueSnap to process the financial transactions for its online enrollments. Regpack integrates with BlueSnap’s flexible and advanced payments platform to provide a complete enrollment and payments solution for organizations such as private schools, camps, educational tourism, faith community organizations, seminars and professional conferences.

In that press release, the Regpack CEO goes on to say:

Moreover, BlueSnap’s strict security measures for online transactions mean that we can use BlueSnap to process payments and conduct business without going through the expense of becoming PCI-compliant level one on our own.

Now by this stage you'd think the whole thing was wrapped up; either Regpack or BlueSnap have had a data breach and leaked a few hundred thousand transactions replete with partial card data and CVVs. The problem is though, neither party believes the breach came from them. I worked with two separate journalists on this and they both had feedback from BlueSnap and Regpack suggesting another party was responsible. I also reached out to them both yesterday for comment and got this from BlueSnap:

Based on an investigation we initiated as soon as we heard about the data set, we hired a top PCI-certified Incident Response firm. Based on that investigation we confirmed that BlueSnap did not experience a system breach or any data loss.

And got this from Regpack:

As a preventive measure, we ran a full forensic investigation and it has concluded that there was no data breach on Regpack servers. In spite of that, we have run the full security protocol implemented in these cases and conclusively determined that our servers were not involved.

Personally, I see indicators implicating both of them. On those that point to BlueSnap losing the data, there's the name of the file itself and 0x2Taylor's original assertion that it came from them in the first place. The file wasn't named "Regpack_324K_Payments.txt", it was BlueSnap's name in there and whilst a file name alone is not proof of an incident, it's an indicator. Then there's the nature of the sites that were involved; when I checked with HIBP subscribers, we identified sources such as the Jewish Community Centers Association of North America mentioned above, Liberal Judaism and Passages America Israel. There were other non-Jewish organisations involved as well (such as the East Bay SPCA), but it's hard to ignore the coincidence of the organisation being implicated as having lost the card data to have its origins in Israel then see such a prevalence of Jewish websites using their services. But then again, they all had Regpack support email addresses on them, so onto them...

Regpack's name is associated with every one of the HIBP subscribers I contacted. I'd expect that if BlueSnap was the source of the breach then we'd be seeing a mix of downstream consumers in the file, unless they store the data in such a way that Regpack's records are isolated from other customers and they alone got breached. Another indicator pointing to Regpack as the source of the incident is that per the statement above, they don't need to be PCI complaint and thus haven't gone through the rigour of audits. (Edit: I've put a strike through this because the CEO's comment was around level one PCI compliance. Regpack may be compliant with a lower level requiring less rigour.) Now by no means does merely being PCI compliant guarantee a breach won't happen, but when the transgressions are as egregious as storing the CVV, something is majorly amiss. And finally, "regpackclients" features as the second most common "soft-descriptor" in the earlier bulleted list with over 6k entries. That's slightly odd because there are many other descriptors which then have invoices referring Regpack's email address for support, but it's yet another indicator of how heavily they feature in the data.

Now it's possible that the data has come from another unnamed party, but it's highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn't have been there. We've got 899 totally separate consumers of the Regpack service (so it's not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I'm missing a fundamental piece of the workflow (and I'm certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.

Lastly, just to absolutely, positively avoid any remaining doubt that this is a legitimate data breach, let me share a collection of responses from HIBP subscribers (note also the responses regarding the CVV):

Address is correct and yes I did have a card that expired in 2014

That all seems right

Yes, that information is correct

I had a Visa card ending in 10 and I am pretty sure it expired in 2013

Yes, we do have a visa that expires in 2020, and yes the CVV ends in 8

This is genuine information that you have provided

I don’t know how they got the CVV either

So that's where it stands at the moment - it's highly likely that either BlueSnap or Regpack lost the data - but frankly, I'm more concerned about those who have their info floating around the web which includes:

Names

Physical addresses

Email addresses

IP Addresses

Phone numbers

Last 4 digits of their credit cards (remember, this is identity verification data and it's enormously useful for hijacking accounts)

CVV

Online invoices which then include details of their purchases

These people need to know that their data was posted publicly to Twitter and none of us have any idea how many people now have it. They need to cancel impacted cards (full card data wasn't leaked, but refer to the link above re partial data being used to hijack accounts) and be aware that their personal info has been exposed. The sites using these facilities also need to be notified because they're the ones that have the relationship with the customers. This requires the cooperation of BlueSnap and Regpack, the former of which is still hosting those invoices publicly on the plimus.com domain where anyone who has the invoice numbers from the breach can simply enumerate them and pull down even more personal data. It may not be a pleasant experience for them, but they need to step up and take responsibility.

I've now loaded all 105k email addresses into HIBP so if you think you may have been impacted, you can search for your address on the site. I've indicated that it's a BlueSnap breach and linked through to this post simply because that's the name it was represented as but will change that if it's determined otherwise. Right now the priority should be in supporting those whose personal data has been disclosed and attribution can follow later.

Update 1 (12 hours later): I've had further feedback from BlueSnap who remain adamant the data hasn't come from them and have issued the statement below to their merchants. I've asked point-blank if they believe Regpack is the source of the breach and will post an update here if there's any feedback I can share. As yet, I don't believe the individuals in the breach whose data is been publicly circulated have been notified by either party.

Update 2 (24 hours after initial post): There's been a lot of discussion on this incident both in the comments below and via email. A number of people have said they've reached out to Regpack and received responses indicating that they weren't the source of the breach and offering little support beyond there. I want to reiterate a few immutable facts:

The data in the breach is legitimate and contains personal information

There are hundreds of thousands of transactions out in the wild including details on over 100k customers

The data contains the last four digits of the card which are frequently used for identity verification purposes

The data contains the CVV which should never have been stored by anyone

BlueSnap has known about the incident since at least the 21st of August

Regpack has known about the incident since at least the 26th of August

Websites who had customer data exposed were using the services of Regpack

Regpack may not have lost the data, but they're accountable to their customers which means the sites using their service

As yet, to the best of my knowledge those impacted in the data breach have not been notified and that includes both websites using Regpack and customers who made purchases

Given there's still no resolution to this and neither BlueSnap nor Regpack believe they're responsible, I'm listing all 899 "soft-descriptor" values below complete with the number of transactions each has in descending order (these are the websites using the Regpack service). If your site is amongst that list and you're concerned for your customers, contact the organisation you sent the transaction to as they're the party you have the relationship with and entrusted with the data.

EntourageManageme : 6299 regpackclients : 6084 Kidventure : 3728 METNY2015201 : 2660 Group-RX-New-Camp : 2535 Wild-Whatcom : 2453 CampKeeTov2016 : 2232 garinusa : 2178 JCC-Maccabi-Games : 2163 USY-Summer-Program : 2088 AvaAndersonNonT : 2005 National-College-T : 1986 High-Sierra-Pools : 1919 Dedicated-To-Learn : 1846 METNY-2014-2015 : 1761 Dedicated-to-Learn : 1717 EastBaySPCA : 1700 SanDomenicoSummerC : 1684 SAEP : 1642 USY-International : 1548 ssoregistration : 1479 WildWhatcom : 1475 yjevents : 1403 CampKeeTov2015 : 1397 Pantano-Christian : 1377 TAPROOTNATUREEXPER : 1232 aardvarkisrael : 1224 Jackson-Sports-Aca : 1203 DBatMustangs : 1151 Mda-Israel-Program : 1148 JacksonSportsAcade : 1121 MissionBaySport : 1064 PantanoChristian : 1058 ElDoradoMusical : 1032 CWRU : 1023 USYSummerProgram : 1004 DanceTheatre : 967 ServeCamp : 965 Saint-Helens-scho : 927 BrightMindsYouth : 924 Northwest-Hydroele : 922 CreativeAction : 910 shevettapuach : 872 Young-Judaea-Year : 866 ArtTime : 864 USYInternational : 860 SAEP2016 : 856 Matthew13Catholi : 852 North-Texas-Confer : 817 real-life-summer-c : 799 Hanegev2015-2016 : 799 Camp-Kee-Tov-2014 : 786 Shasta-Community-C : 777 METNY : 773 ReggaeRunnerz : 767 Seaboard2015 : 742 DANCE411 : 740 OPEF2016SummerB : 736 Gilbert-High-Schoo : 725 L3X : 721 D2L2016-Walnut : 721 ShastaCommunityC : 704 ArizonaScienceCe : 701 MagnificatHighSc : 689 OPEF-BASE-Camp-201 : 674 grinnellcollege : 659 D2L2016-Diamond : 655 Hagalil20152 : 654 HS-uniform-fees : 648 El-Dorado-Musical : 648 Saint-Helens-Schoo : 643 artomatic : 639 garin : 636 WildfishRegistrat : 635 ParksPlusCreatio : 625 NorthTexasConfer : 625 SAN-JOAQUIN : 617 EMTZA-Staff-2014-2 : 614 Hanegev-2014-2015 : 606 teamworksdogtraini : 602 CampCardiac : 602 BergenCommunityC : 602 American-Pavilion : 600 tzofimcvk : 571 Group-RX : 571 BBYO-UK : 564 YoungJudaeaYear : 562 MdaIsraelProgram : 558 Juneau-Dance-Theat : 557 BASE-Camp-2014 : 548 VISnet-2014 : 539 Stonewall-Columbus : 536 camp-liberty : 536 LaurensKids : 532 WesternSocietyfo : 528 iedesign : 525 wujs : 503 camp-liberty2016 : 494 LimmudNY2016 : 482 visnet : 480 PENINSULACOLLEGE : 479 CRUSY-2014-2015 : 479 CourtsForKids : 479 Saint Helen's scho : 479 Field-Institute-of : 478 Seaboard-2014-2015 : 475 CampKeeTov2014 : 473 EMTZA2015-2016 : 472 Master-Russian-pro : 469 HighSierraPools : 463 MuseumoftheBibl : 462 1870Farm : 460 SummerCollegeTra : 460 LIMMUDNY : 459 DistrictVIICDA : 456 USY-EMTZA : 442 UniversityCitySwim : 439 KidsCreativeAdve : 431 Young-Judaea-Amiri : 430 BACC-Camp : 427 CHUSY2015-2016 : 427 Young-Judaea-Summe : 420 VISnet2014 : 410 DoctorDevelopment : 399 JCCMaccabiGames : 397 METNY-2015-201 : 393 SWUSY2015-2016 : 393 nativ : 392 CRUSY2015-2016 : 390 BuildingMinds : 386 Parks-Plus-Creatio : 383 Kids-and-Culture-C : 379 CHUSY-2014-2015 : 377 Wild What : 374 RockyMountainBir : 373 SanDomenicoAfter : 372 One-Love-Training : 371 SaintHelensSchoo : 370 Needham-Millis-Dan : 369 Songleader-Boot-Ca : 368 3CrossesCamp2016 : 359 Southwest-District : 358 FZYTour2016 : 356 JCCMaccabi2016- : 355 JTerm : 351 Nevada-City-CA : 350 ibc : 349 NERUSY201520 : 344 XavierHighSchool : 343 JewishBookCounci : 338 Jivamukti-Yoga-Wil : 337 FOOTSTEPSFORFERTIL : 334 Dance411Rental : 332 NewFrontier2015- : 332 SaintHelensBaske : 328 CampGideon : 327 NORTHERNMOVEME : 326 Camp-Eagle : 326 RythersAspiringY : 322 DBatsHSuniform : 320 Hagesher2015 : 318 XavieriPadSale : 316 IASSIST : 312 CH-USY : 310 SummerShowoffs : 310 Hope-Girls-Basketb : 308 Jewish-Book-Counci : 306 USYKadimamember : 305 USY International : 305 Newton-Inspires-20 : 300 regpack_clients : 299 CampTaylorHearts : 298 Hagesher-2014-2015 : 297 Soccerstlmo : 297 Jivamukti-Yoga-New : 295 DramaLearningof : 285 Southeast-Student : 282 homeschoolcampus : 281 SWUSY-2014-2015 : 275 Northwest-Technica : 274 FZYTour : 272 OurLadyofGoodC : 272 Hagalil-2014-2015 : 270 BACCCamp : 264 3Crosses-Camp : 262 Israel Reform Move : 262 NorthwestTechnica : 260 WashingtonIrving : 257 ColoradoEducation : 257 COMMUNITYOFCHRIST : 256 Grace-North-Church : 254 SCRA Group Lessons : 254 EmersonWaldorfSc : 253 mmea : 251 Bali-Institute : 245 Menlo-Park-Legends : 244 ACSportsAcademy : 244 Art-Time : 243 WildernessExperie : 243 Ramah-2015-Summer : 236 Sway-Youth-Enrichm : 235 Hi-Tech-Learning : 232 CAConsultingLLC : 232 Camp-Taylor-Hearts : 230 Israel-Reform-Move : 229 SW-USY : 227 OurLadyMotherofthe : 226 WMtrainingandevent : 225 Liberal-Judaism-Ev : 224 YJyearroundreg : 224 NewHeights : 224 greenedventures : 223 JuneauDanceTheat : 223 nyoda : 221 TurtleHillEvents : 220 IslamicWeekendSc : 219 WildfishTheatreS : 216 FZY-Tour-2015 : 215 SouthwestDistrict : 215 CuyahogaValleyCh : 213 PortCityCommunit : 208 Southern-Connectic : 206 PooleofFineArts : 206 Cuyahoga-Valley-Ch : 205 Hi-TechLearning : 205 Group RX : 205 SCRA Private lesso : 204 Northern-Movement : 203 GroupRXNewCamp : 203 FreestyleLanguage : 203 HitchcockCenterF : 199 New-Frontier-2014- : 198 FieldInstituteof : 194 GilbertHighSchoo : 192 D2L2016-Suzanne : 191 CarolyneBarryAct : 190 Mapleton City - Ra : 189 Rye-PTA : 189 FarWest2015-2016 : 189 BBYOUK : 188 IndianapolisBarA : 188 Cycon : 186 New-Heights : 186 Soccerstlmo2016 : 186 Klein-United-Metho : 185 Walk-Your-Path-Wel : 184 WingraBoatsSumme : 181 Wildheart-Nature-S : 180 Hope-Basketball-Ca : 179 Camp-del-Corazon : 177 Hitchcock-Center-F : 177 Mt-Tabor-Summer-Ba : 177 Tzafon201520 : 177 USY-Pinwheel : 176 Notre-Dame-of-Mt : 175 TechSmart Kids : 175 catesol-2016-san-d : 174 OPEF-Build-Day-201 : 173 LincolnSchoolPTO : 171 USY-Leadership-Pro : 170 CommunityEnvironm : 170 Cambridge-EllisSc : 169 WoodsHumaneSocie : 169 BoysGirlsClubs : 168 JesseHelmsCenter : 165 YoungJudaeaSumme : 164 CampEagle2016 : 164 D2L2016-Chaparr : 164 PIP : 163 SCRA-Group-Lessons : 162 MasaTlalim : 162 Saint Helens Year : 162 LighthouseForthe : 162 catesol-2016-la-co : 162 YoungJudaeaYearCou : 161 Broadway-Bootcamp : 159 YoungJudaeaAmiri : 159 OCA2016Conventio : 158 ConservativeYeshiv : 156 OPEFBuild4Good : 156 2015-Camp-del-Cora : 155 OPEF-Gadget-Day-20 : 155 Galilean-Bible-Cam : 154 l3x : 154 EMS-and-Healthcare : 154 SCRAGroupLessons : 153 Camp-Gideon : 153 marva : 151 AnimalFriends : 151 The-Circle-School : 149 NERUSY-2014-2015 : 149 Animal-Friends : 149 BionRegionalSymp : 149 Saint-Helens-Year : 147 JYTT-India-2015 : 145 Rosarian-Academy : 145 Jivamukti-Yoga : 143 WESLEYANCHURCH : 142 yj_events : 141 ccofSummer2016 : 141 MarquardtSchoolD : 138 TheHomeOwnership : 136 2016CampdelCora : 136 RamahIsrael : 135 Hudson-Valley-Rib : 135 StonewallColumbus : 134 Liberal-Judaism-Ca : 132 SCRAPrivateLessons : 131 AMHCA : 131 NorthernMovement : 131 NoamMasortiSummerc : 130 SLBC2016 : 130 Dance-411-Summer-2 : 128 Pinwheel-2014-2015 : 128 ZebrafishHusbandr : 128 Master Russian pro : 126 Camp-Moonlight : 125 SCU : 125 AWS-Detroit : 123 OakHillMontessor : 121 Tichon-Ramah-Yerus : 119 HopeGirlsBasketb : 119 EMS and Healthcare : 119 Courts-For-Kids : 118 DoulaTrainingsIn : 117 ChoreographyFesti : 117 Rocky-Mountain-Bir : 116 LiberalJudaismCa : 116 knowledgecrossingb : 116 RosarianAcademyS : 116 McCallum-Theatres : 115 Camp-Sunrise : 115 HVRF2016 : 115 BethEl5776 : 114 TK20 : 113 Camp-Gan-Israel- : 112 KeystoneDiabetic : 112 JYTT-Costa-Rica-20 : 111 Canterbury-School : 110 OmiInternational : 110 TheIndependentSc : 110 catesol-2016-north : 110 BroadwayBootcamp : 107 Dance411Staff : 107 USPostalService : 107 BLax : 107 CEF-of-Fargo-and-M : 105 EPA20152016 : 105 BYP100 : 104 Tzafon-2014-2015 : 103 FICEAustria : 102 YoungJudaeaWUJS : 101 HooglandCenterFo : 101 Hanefesh2015 : 100 SlowFoodNewOrle : 100 camp_gan_israel : 96 Dance-411-Staff : 95 ISL Futbol : 95 PlaycreationsKids : 95 BeachesEpiscopal : 95 EPA-2014-2015 : 94 MasterRussianpro : 94 Mda Israel Program : 93 ZestfulGardens : 93 SCRA-Private-lesso : 92 CanterburySchool : 92 Village-Academy : 90 HPCS2016 : 90 YoungCodersAcade : 89 VistaSchoolingan : 89 NewNebConference : 88 3CrossesCamp : 88 PacificIntegral : 88 Pinwheel2015-2016 : 88 Beth-El-School-Reg : 86 Doula-Trainings-In : 85 USYLeadershipPro : 85 Ramah-2014-Summer : 84 TheRingBoxingCl : 83 EvolveVolleyball : 83 Dance 411 Camp : 83 Ramah2016Summer : 81 Hope Girls Basketb : 81 Bios : 81 SpartanburgDaySc : 81 Hanefesh-2014-2015 : 80 CASFM : 79 Winterblast : 78 MtTaborSummerM : 78 Snider-Mountain-Ra : 76 NotreDameofMt : 76 Db-Skim-Camp : 75 BethElSchoolReg : 75 JYTTINDIA2016 : 75 GraceNorthFamily : 75 TheChurchofthe : 75 Mars-Global-Summit : 74 PensionPro-Confere : 74 Seaboard-2015- : 74 itf_ie : 74 NeedhamMillisDan : 72 goodwillevents : 71 Sway Youth Enrichm : 71 AUJS : 70 PacificIntegralR : 70 CollegePrepCamp : 70 GloucesterCommuni : 70 BaliInstitute : 69 JYTTCOSTARICA20 : 69 Race-Corps : 68 Maase-Olam-ITF : 68 CampMoonlight201 : 68 Dance-Versity : 67 WAM : 67 NationalAssociati : 67 BBYO UK : 66 YoungJudaeaCLIP : 66 GCBC-Guelph-Comm : 65 Overflow-Prophetic : 65 BASECampArboretu : 65 UtahSuzukiHarpI : 65 RamahIsraelInsti : 64 San-Domenico-After : 62 Mobile-Bay-Sailing : 62 WildheartNatureS : 62 mda : 62 OaklandInterfaith : 62 NorthwestHydroele : 61 AC-Sports-Academy : 59 CampEagle : 59 VillageAcademy : 59 SleepTreatmentCo : 59 Great-Lakes-Econom : 57 The Circle School : 57 SCAMedicalMissio : 57 luselandbiblecamp : 56 TheCircleSchool : 56 MaaseOlamITF : 56 Aspire Soccer Camp : 56 USY-ECRUSY : 56 USY Leadership Pro : 55 Ramah-Jerusalem-Da : 54 CollegiateWomens : 54 TichonRamahYerus : 54 Mabee-GerrerMuseu : 54 PACEApplication2 : 54 YoungJudaeaShalem2 : 53 Northeast Epi Conf : 53 american_sokol : 52 CampCardiacNeuro : 52 Temple Bnai Jeshur : 51 SacredHeart-Shi : 51 Lipkin-Tours : 50 Hagalil-2015-2 : 50 GalileanBibleCam : 50 Camp-Gailor-Maxon : 49 GarinTzabar : 49 2020-Technologies : 48 HopeBoysBasketba : 48 TzabarPolin : 47 SpokaneINWAPSI : 47 St-Andrews-Bay-Ya : 46 OPAConvention2016 : 46 CorpusChristiChu : 45 DanceVersity : 45 USYAlumni : 45 IxlAcademy : 44 TheFoodBusiness : 44 WISEFORESTPRE : 43 Camp-Experience : 43 Liberal Judaism Ca : 43 SantaMonicaLittleL : 41 Willow-Springs-Cam : 41 ScruplesSymposium : 41 WestSideStudio : 41 CEF of Fargo and M : 41 Brian Jordan Camps : 41 LagniappeAssociat : 41 CrestmontCamp : 41 RAMAHISRAEL : 40 Ramah-Israel-Insti : 40 Ixl-Academy : 40 Friendship-Caravan : 39 PACE-Application-2 : 38 ierimon : 38 The-Food-Business : 38 Game-On-Sports : 38 Vermont Infectious : 38 CH USY : 38 ktantanim : 37 Crosslink-Meadows : 37 MBP EA Conference : 37 Young-Judaea-Shale : 36 LFFPPeaceLeadersPr : 36 KidsandCultureC : 36 ForestHillsField : 36 Pioneers Camp : 36 Maase Olam ITF : 36 WalkYourPathWel : 35 CampKeeTov2013 : 35 USY Summer Program : 35 Northeast-Epi-Conf : 34 Christ-Church : 34 WomenWorkinginC : 34 Clubcorp : 34 Hagesher-2015- : 33 garin_usa : 33 CadillacLaSalleClu : 33 CHUSYAnnualBenef : 33 FZY-Camp-2015 : 32 Collegiate-Womens : 32 goodwillslp : 32 YoungJudaeaOnwar : 32 CSAKarateCamp : 32 camp-yavneh : 31 CEF2015 : 31 IdeaCampRio : 31 KarenPickettLMFT : 30 ProyectoFeIntern : 30 OPEF Base Camp 201 : 30 ie_design : 30 Kappa-Sigma-5k-Tro : 30 SupportabilitiesF : 30 Santa-Monica-Littl : 29 Hope Basketball Ca : 29 ClearconnectSolut : 29 ALACCABibleCamp : 29 NSTEP-Study-Buddy : 28 Qverity : 28 CampSunrise : 28 HanegevStaff : 28 campganisrael : 28 CampWildcraft : 28 HEICFellowsCours : 27 TTS-Certification : 26 Young-Judaea-Onwar : 26 Onward-Israel-Gree : 26 RosarianAcademy : 26 StAndrewsBayYa : 26 USY - EMTZA : 26 Northfield-Confere : 26 1870Farm-Presch : 26 SWUSY-Staff : 25 MaaseOlam : 25 ArtisticallyMe : 25 Habitat for Humani : 24 FZYKesher2016 : 24 GoTechCamp : 24 FreedomSchool : 24 HarvesterChristia : 24 shnatsherut : 23 Santa Monica Littl : 23 shevet_tapuach : 23 Aspire-Soccer-Camp : 23 OnwardIsraelGree : 23 StrongwaterSwim : 23 Camp-KidsTown : 22 SWAMIVIVEKANANDA : 22 ACNM : 22 Kenosee-Lake-Bible : 22 DbSkimCamp : 22 TheWordChurch : 22 EnvironmentalVolu : 22 ACNM2016 : 22 AnimatheForumF : 22 JYTT-Germany-2015 : 21 Prepare-Yourself-C : 21 GraceNorthChurch : 21 MtTaborSummerBa : 21 RamahJerusalemDa : 21 LimmudFest2016 : 21 SW USY : 20 Tichon Ramah Yerus : 20 Vermont-Infectious : 20 GOTS2016 : 20 AWSDetroitLadies : 20 AllenAcademy : 20 TTSCertification : 19 NewtonInspires20 : 19 Dance Versity : 19 Splash Bartow 2013 : 19 USY Pinwheel : 19 TechSmart-Kids : 19 goodwilledp : 19 ComposedEssays : 19 Sewickley-Academy : 18 HudsonValleyRib : 18 American Pavilion : 18 YoungJudaeaSummerP : 18 ATSuccessLondonS : 18 fzycamp : 17 WholisticLearning : 17 Shalomlearning : 17 Artstream : 17 METNY2016201 : 17 USY-EMTZA-Staff : 16 GCBCBOATING : 16 Veida : 16 Tzafon-2015-20 : 16 2015CampdelCora : 16 CampMoonlight : 16 JYTTGermany2015 : 16 SWUSYStaff : 16 YoungJudaeaAmirim2 : 16 Dance411Camp : 16 Baden-PowellNorth : 16 GrowAGeneration : 16 Hanegev-Staff : 15 NERUSY-2015-20 : 15 USY - ECRUSY : 15 FZY-Year-Course-20 : 14 Pacific-Integral : 14 CrosslinkMeadows : 14 MobileBaySailing : 14 FZYYearCourse20 : 14 Ramah 2014 Summer : 14 FZYVeida2016 : 14 International-Law : 13 FZY-Events : 13 PBC-Church-Registr : 13 PensionProConfere : 13 EMTZAStaff : 13 Songleader Boot Ca : 13 JH Ranch - Decembe : 13 OneLoveTraining : 12 GameOnSports : 12 tzofim_cvk : 12 YoungJudaeaFood : 12 WorldLanguagePro : 12 itfie : 11 Customer-Love : 11 COLLEGECERT : 11 PBC-Camp-Registrat : 11 CEFofFargoandM : 11 FriendshipCaravan : 11 JH-Ranch-Decembe : 11 SacredHeart-Cam : 11 CampGideon-Volu : 10 betar-wingate : 10 CampLookout : 10 CoachTBasketball : 10 Pinwheel-2013-2014 : 9 GTO : 9 InSync Volleyball : 9 ChelseaYachtClub : 9 fzyyearcourse : 8 KolAmi : 8 Hanegev-Staff-2014 : 8 Hanefesh-2015- : 8 IXLAcademy2016 : 8 TheSchoolofBasketb : 7 SWUSY-Staff-2014-2 : 7 BIGR-AU : 7 Muscolo-Meat-Acade : 7 Zebrafish-Husbandr : 7 SouthernConnectic : 7 AFSIntercultural : 7 MDP : 7 IsraelTeenFellow : 7 catesol-2016-annua : 7 FZY-H-2013 : 6 Summer-College-Tra : 6 EMTZA-2015-2016 : 6 NationalCollegeT : 6 SummerAdultTrips : 6 green_edventures : 6 CrystalaireAdvent : 6 HolidayShow-Offs : 6 Sportstyme-Jupit : 6 GO-ART-BOX : 5 EPA-2015-2016 : 5 SWUSY-2015-2016 : 5 AutomicUniversity : 5 IslamicAssociatio : 5 fzy_camp : 5 FZY H+ 2013 : 5 Wild-What : 5 ICCA-Membership-Du : 5 Dbat-Mustangs-HS : 5 FamilySystemSpo : 5 GloucesterCounty : 5 cwa : 5 Camp-Gideon-Volu : 4 PBCCampRegistrat : 4 Dbat Mustangs - HS : 4 fzy_yearcourse : 4 ramah_high_school : 4 SummerDelegation : 4 FZYHadrachaPlus : 4 KingdomWorkersSp : 4 RaMessut : 4 Click-Connect : 3 Summer-Delegation : 3 EMTZA-Staff : 3 MassaFrance : 3 PBCChurchRegistr : 3 WiseYoungBuilder : 3 IdaTeam : 3 StaffordTechnical : 3 shnat_sherut : 3 Christ Church : 3 Hagalil20162 : 3 ATRRM : 3 MissionSquash : 3 Innovative-Academi : 2 Bumble-ABC : 2 A-Little-Culture : 2 Noam-Masorti-Summe : 2 YWCO : 2 Keytana : 2 CHUSY-2013-2014 : 2 Wise-Young-Builder : 2 Real-Life : 2 33rd-FICE-CONGRESS : 2 Ramah2015Summer : 2 OPEFBASECamp201 : 2 FZYTour2015 : 2 SportScienceFunS : 2 Artomatic : 2 yj_yearcourse : 2 ramah_summer_semin : 2 SplashBartow : 2 l3x2012 : 2 Rye PTA : 2 israelchallenge : 2 ienachshon : 2 ramahhighschool : 2 FortClarkston : 2 UnitedSecurityTr : 2 FZYKeytana2016 : 2 SanFranciscoRecr : 2 GrinnellCollege : 2 HighroadConsultin : 2 CertifiedSiteSaf : 2 ChristsChurchof : 2 AWSGolfOuting : 2 JYCostaRicaAlumni : 1 OURLADYMOTHER : 1 ALASKA-NEW-MEDIA : 1 ALASKATECHNICAL : 1 COURTIER-INSPECT : 1 N-DEPTH-RESP : 1 Camp-Nyoda : 1 L3X-2014 : 1 COURT-SENTINEL : 1 Central-Union-AS : 1 Young-Judaea-Famil : 1 Legacy-Soccer-Acad : 1 Camp-Kee-Tov-2015 : 1 SportScience-Fun-S : 1 Stone-Mountain-Adv : 1 newtoninspires20 : 1 Stratford-Camp : 1 AC-Flight-Lacros : 1 ramahyouth : 1 PBC-Individual-Reg : 1 Camp-Liberty : 1 The-Center-For-Wil : 1 StemTree : 1 Thinking-Outside-T : 1 McCallum-Theatre : 1 Ramah-2016-Summer : 1 FPX-Conference : 1 Einsteins-Workshop : 1 Noahs-Ark-Zoo-and : 1 Mr-D-Math : 1 Western-Society-fo : 1 Refreshing-Lives : 1 River-City-FC : 1 FZY-Hadracha-Plus : 1 Palmetto-Engineeri : 1 North-Georgia-Home : 1 McCallum-Theatre-T : 1 SLBC-2016 : 1 Strongwater-Swim : 1 Young-Coders-Acade : 1 Hanegev-2015-2016 : 1 CHUSY-2015-2016 : 1 You-Give-It-We-Gr : 1 Acts-World-Relief : 1 Mindful-Leadership : 1 Automic-University : 1 Mabee-Gerrer-Museu : 1 Child-Care-Council : 1 FZYCamp2015 : 1 CampGanIsrael- : 1 USYMembership : 1 WildfishTheatre : 1 USYUploads : 1 InternationalUSY : 1 AmericanDanceIns : 1 SewickleyAcademy : 1 MuscoloMeatAcade : 1 CRUSY2014-2015 : 1 ECRUSY2015-2016 : 1 OPEFBASECampFie : 1 FortClarkton : 1 CyliaHarrietFoun : 1 JacobusConsulting : 1 McCallumTheatreD : 1 KidzNPlay : 1 WestMetroFireRe : 1 LifeSafetyDivisi : 1 Ktantanim2015-201 : 1 JDECRegistration : 1 WMtrainingcenter : 1 McCallumTheatres : 1 TeamworksDogTrai : 1 SouthwestVermont : 1 MemphisTheologica : 1 E-Rive : 1 yj_summer : 1 ie_rimon : 1 israel_challenge : 1 JH History Makers : 1 LCFOilers : 1 ICCA Conferences : 1 Innovative Academi : 1 yj_shalem : 1 SWUSY Staff : 1 L3X 2013 : 1 shevettapuach2012 : 1 College-Hockey-Exp : 1 Student-Education : 1 OPEF-Day-Camp-2013 : 1 tigermma : 1 Camp-Jano-India : 1 Maccabi-games : 1 Florida-Flyers : 1 shevettapuach2014 : 1 Artisul : 1 DanceMissionYout : 1 AWSDetroitChrist : 1 WaynefleteInc : 1 InternationalGlov : 1 JacksonSportsAca : 1 CATESOL2016Annua : 1 AFA : 1 Curtissandbox : 1 CampRamahIsrael : 1 CumberlandCounty : 1 FZYWUJSSpring20 : 1 FZYAmirim2016 : 1 CampLiberty2016 : 1 PilgrimCamp : 1 Armed2Defend : 1 HopeBasketballCa : 1 WBRTR-Runners : 1 WorldWarBrick : 1 DistrictSummitRe : 1 FreedomSchoolPar : 1 LutheranChurchof : 1 PanforkBaptistEn : 1 CATESOL2016North : 1 SantaClaraUniver : 1 GalileanRetreat : 1 Spokane-AVIDIns : 1 TitanRobotics : 1 KingdomWorkers : 1 ArmedServicesYMC : 1 CIS-HPCS : 1 CaliforniaWorkfor : 1 SkySummerCamp : 1 CIS-CTS : 1 TheBlackEconomic : 1 Sportstyme-Welli : 1 Sportstyme-Winte : 1 CHUSY2016201 : 1 CRUSY2016201 : 1 Emtza2016201 : 1 WUSY20162017 : 1 VSSDance : 1 EPAHagesher2016 : 1 HanefeshNERUSY2 : 1 HaNegev2016-201 : 1 NewFrontier2016 : 1 Pinwheel2016 : 1 Seaboard2016 : 1 Tzafon2016-2017 : 1 WildfishTheatreJ : 1 ProLevelTraining : 1 MinnesotaMusicEd : 1 FarWest2016 : 1 GlobalWritersIns : 1 KidsIntheGame : 1 JumpStart : 1 YoungJudaeaAlumn : 1 KidVenture-Aftersc : 1 SEFOF : 1 McCallumTheatreT : 1 MtCarmelMusicF : 1 AWSDetroit : 1 StoneMountainAdv : 1 CampArrahWanna : 1 CampSonburst : 1 FrestaValley : 1 KieslingAssociate : 1 2016-2017WinterB : 1 Medinformatix : 1

Update 3 (a day and a half after initial post):

I've had further communication with both BlueSnap and Regpack since writing this post and the source of the data has now been identified as originating from Regpack. Let me share a statement from them here:

Further to the article Troy Hunt published both Regpack and BlueSnap have looked into the presented data loss. Reviewing the post by Troy Hunt assisted our engineers in reaching this conclusion: Regpack has confirmed that all payments information passed to the payment processor is encrypted on its databases. Nonetheless, periodically, this information is decrypted and kept internally for analysis purposes. We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss. This was identified by our teams going back and reviewing some of the log files as indicated in the blog discussion post. We have changed our approach to handling this data and are confident that this one-time mistake will not occur again. To reiterate our security stance: 1. The source of the data loss was a procedural human error. 2. Neither Regpack nor BlueSnap had our systems breached. This has been confirmed by independent forensic experts retained by each company after the initial data loss. As a further security measure, RegPack has rebuilt all servers and run full security scans on the new servers. 3. Both Regpack and BlueSnap have conducted thorough reviews of the environments and found that all systems are secure. 4. Regpack and Bluesnap have updated all internal security procedures and processes to ensure that no data can leave internal environments. This will prevent the loss we saw in this case. Regpack is notifying vendors whose customers were potentially affected so they can make the appropriate communications.

Obviously they now have various processes to go through including reaching out to impacted customers who will in turn need to contact their customers (the ones who made the purchases) and notify them of the data exposure. I've just updated HIBP to reflect the source of the data as being Regpack and adjusted the description accordingly.

If you run a website that uses Regpack services then you should hear from them directly. If you believe that your personal information was exposed then you should hear from the site you provided it to (yes, I know they didn't lose the data but that's the chain of relationships here).

Thank you to everyone who commented and provided input on this post, I'm glad the source has now been identified and steps can be taken to protect those who were exposed.