A SQL database backup belonging to 321transit.com, the official website for Space Coast Area Transit (SCAT), Brevard County’s public transportation system, was allegedly left exposed on an unsecured open directory and has since been published online. The dump purportedly contains tens of thousands of user records and transit pass purchases, including payment card data stored in a way that violates industry security standards.
What the Database Allegedly Contains
According to the disclosure, the SQL file carries a timestamp of October 2025 and was reportedly discovered on the open directory in March 2026. It allegedly includes 2 tables of particular concern. The first holds roughly 30,000 user account records with names, usernames, email addresses, and hashed passwords. The second contains approximately 14,600 transit pass purchase records tied to the agency’s online fare system, allegedly including full credit card numbers, CVV codes, expiration dates, cardholder names, phone numbers, and mailing addresses.
The payment records appear to originate from the site’s paratransit pass purchasing system, which services ADA Paratransit and TD Paratransit customers in addition to standard riders. Paratransit programs specifically serve riders with disabilities, meaning a subset of those potentially affected may include particularly vulnerable individuals.
A PCI-DSS Violation Hiding in a Backup File
If the claims are accurate, the storage practices reflected in the database represent a serious compliance failure. PCI-DSS standards explicitly prohibit storing CVV codes after a transaction is authorized. Storing full card numbers alongside CVV codes and cardholder details in a plaintext database, let alone in an exposed backup, is a direct violation of those standards. Any card data in the dump would be immediately usable for fraud without any cracking or decryption required.
It is worth noting that the transaction records date back to 2017, meaning a significant portion of the exposed card numbers are likely expired. That reduces the immediate fraud window but does not eliminate risk entirely, particularly for any more recent records in the dataset.
WordPress Misconfiguration at the Root
The database structure indicates the site runs on WordPress, with the exposed dump including the platform’s standard user table. Publicly accessible directory listings on WordPress sites are a well-documented misconfiguration issue, particularly on older or poorly maintained installs. The exposure here does not appear to involve an active intrusion. The data was allegedly sitting in an open directory, accessible to anyone who found it, for an unknown period of time before it was discovered and ultimately published.
What Florida Law Requires
Under Florida’s data breach notification statute, covered entities are required to notify affected individuals within 30 days of determining a breach has occurred. As a government-operated transit agency, Space Coast Area Transit would likely fall within the scope of that obligation. Space Coast Area Transit and Brevard County had not issued any public statement at time of publication. It is unclear whether the agency has been notified or whether any internal review has begun.
Riders who purchased transit passes through 321transit.com, particularly prior to 2026, should review their payment card statements and consider contacting their card issuer. Those whose cards were issued around or after 2017 and have not yet expired may face the most immediate risk. For guidance on what to do if you receive a data breach notification, see our step-by-step guide.
