PayU has inadvertently exposed the email addresses of customers in an email broadcast.
Customers received an email regarding downtime due to server maintenance on 13 April.
The email was sent from a “PayU Notification” address, with multiple customers openly copied in the mail.
PayU is an online payment gateway which allows users to save their credit card and banking information online in order to make payments through supported portals.
PayU accounts are secured using a customer’s email address and password.
It is unclear how many customers were included in the email, but screenshots seen by MyBroadband show a list of several hundred addresses.
PayU CEO Karen Nadasen told MyBroadband the email was not transmitted in line with the company’s communication protocol.
“This was an internal error by one of our team members. It was certainly not our standard procedure,” she said.
“As a fully PCI compliant, leading payment service provider, we take any interaction we have with our merchants very seriously.”
“This particular email broadcast was a standard notification of planned downtime for maintenance.”
Nadasen said that while merchant addresses were made visible, no confidential or financial information was compromised.
“It is important to note that, while we acknowledge that merchant email addresses were erroneously visible, and apologise for this, we in no way compromised any sensitive or confidential, financial, or personal information of our merchants.”
“We have addressed the error internally and will take measures to prevent this error from reoccurring,” said Nadasen.