CentralSquare settles one Click2Gov data breach lawsuit

Between 2018 and the end of 2020, DataBreaches published dozens of news reports on municipal breaches involving CentralSquare’s ClicktoGov software. The software allows residents to pay utility bills or other municipal bills online. Now Top Class Actions reports that CentralSquare has agreed to pay $1.9 million to settle litigation by some consumers. Consumers whose credit or debit card was used to make payments through the CentralSquare Click2Gov payment portal between Jan. 1, 2017, and Dec. 31, 2019 may be eligible for some compensation. Plaintiffs filed this CentralSquare class action lawsuit after the company announced a data breach in October 2017. The case is Doughty, et al. v. CentralSquare Technologies, LLC, et al., Case No. 5:20-cv-00500-G in the District Court for the Western District of Oklahoma The final hearing on the settlement will be October 7, 2022.  Details can be found on the settlement website at CSTSettlement.com. According to Top Class Actions: In addition to providing settlement benefits to eligible class members, CentralSquare has also agreed to implement stronger security measures to protect user data. The company will maintain a hotline for employees to report concerns about CentralSquare’s security systems, engage a third-party vendor to audit its data security, and engage an outside consultant to conduct an annual risk assessment to identify data security risks. Other lawsuits were filed after this lawsuit, and DataBreaches is not aware of their status at this time. For this site’s previous coverage on the breaches, search for “CentralSquare”  and “Click2Gov.“

OR: The City of Bend discloses Click2Gov breach

The City of Bend was recently informed that a potential data security incident may have compromised the payment card information of some City utility customers who made one-time utility bill payments or enrolled in auto pay using a credit or debit card between August 30, 2019 and October 14, 2019. The data that may have been affected could include the cardholder’s name, card billing address, card number, card type, card security code and card expiration date. Other personal information such as Social Security numbers or government-issued identification numbers were not affected by this incident. The City of Bend does not collect that information for utility billing purposes. City utility customers who signed up for auto pay by credit/debit card or bank drafts before August 30, 2019 or after October 14, 2019, and customers who paid in person or by check, are not affected. The City learned of the potential security incident from CentralSquare, the third-party vendor that manages and operates the City’s online utility payment portal, known as Click2Gov. CentralSquare determined that malicious code may have been inserted into the Click2Gov software which could have allowed an unauthorized party to copy personal payment card information from customers who logged into the system to make a one-time credit card payment or to enroll in auto pay between August 30, 2019 and October 14, 2019. Existing auto pay customers were not affected. The City has worked with CentralSquare to remove the malicious code from Click2Gov to ensure that this incident is not ongoing and has implemented additional security measures to help mitigate future risk. This incident involved Click2Gov’s software. It was not due to a vulnerability of the City’s infrastructure, systems, or security. “Data privacy and security for our customers are high priorities, and we are taking this situation very seriously,” said Chief Innovation Officer Stephanie Betteridge.  “We are doing everything we can to mitigate the situation, serve our customers and protect against future incidents.” The City is working with CentralSquare, a third-party forensic investigator, outside legal counsel, and local and federal law enforcement to evaluate the nature and scope of the incident. The investigation is ongoing. We are in the process of notifying the individuals who may be affected directly by mail. Letters are expected to be mailed this week. The City has plans in place to migrate to a new payment processing services provider in the near future. Customers who made one-time payments or enrolled in auto pay between August 30, 2019 and October 14, 2019 should monitor their financial accounts and promptly report any suspicious activity to their banks. Those customers will also be offered one year of credit and identity-monitoring services at no cost. Customers who may have questions or would like more information may visit our website at www.bendoregon.gov/data-advisory. We have also established a dedicated call center to address customer concerns, which can be reached at (844) 987-1209 from 8:00 a.m. to 5:00 p.m. Pacific Time, Monday through Friday, excluding holidays. Source: City of Bend, Oregon. The Bend Bulletin reports that about 5,000 people may have been impacted.

Another Click2Gov victim is revealed in Texas

Add Sugarland, Texas to any list you are keeping of Click2Gov breach victims.  As with other entities in the second wave of attacks, those residents who used the payment portal to make one-time payments seem to have fallen prey to the attackers.  And as with a number of other CentralSquare Technologies Click2Gov customers, Sugarland will be using a new payment system to be installed in 2020. Sugarland was reportedly notified of the breach on October 25, but the full extent was not known until December 12, according to the Houston Chronicle’s reporting. DataBreaches.net has sent an inquiry to Gemini Advisory to find out if they found cards from this one up for sale, and may update this post when I get an answer from them.  

About 3,000 Fort Worth water customers may have had info stolen in data breach

Kaley Johnson reports more trouble for Click2Gov software by CentralSquare Technologies: About 3,000 customers of the Fort Worth Water Department may have had had their information stolen due to a data breach, a department spokeswoman said. Those impacted would have made a one-time payment for Fort Worth water with a credit card between Aug. 27 and Oct. 23, spokeswoman Mary Gugliuzza said. Read more on Fort Worth Star-Telegram.

Yet another city reports a Click2Gov breach

Another city has reported a breach involving Click2Gov software by CentralSquare Technologies.  WTVY reports Dothan, Alabama has joined more than four dozen other cities using Click2Gov that have experienced breaches involving payment card data of residents using online payment portals: “It has come to the City of Dothan’s attention that CentralSquare, the third-party processor of online utility payments, via their Click2Gov application, has been compromised via a recent cyber attack,” the city said in a statement. Read more on WTVY.  As with other some other cities we learned about this year, the attack seems to have occurred between August 26 and October 14 of this year.  It’s not clear when Dothan discovered the attack and if they discovered it or whether CentralSquare Technologies alerted them to investigate. The Dothan Eagle has a bit more detail on the attack itself, reporting that CentralSquare Technologies say that the attacker used a “screen scraper” process to steal online customers’ private information. That means Dothan Utilities customers who used stored credit card and address information to pay their bills in that timeframe were not likely subject to the data breach. Customers who typed their information in the system, like those who may have used the one-time payment system or new customers, may still be at risk, Mason said. The firm’s CEO never answered this site’s recent inquiry as to whether this was a second vulnerability affecting cities after August or a previously known issue.  

City of Norman, OK temporarily suspends utility payment portal; ditches Click2Gov after another potential security incident

The City of Norman, Oklahoma has suspended its online portal for paying utility bills after they were notified of a potential security incident involving Click2Gov software by CentralSquare Technologies. At this point, the city seems to have had enough with Click2Gov security issues. The city is currently in the process of switching over to another payment processor. The city issued the following press release: All online payments for City of Norman utility services and permitting fees are suspended through November 12 while the City makes an emergency transfer to a new payment processor. Payments may be made in person at 201-C W. Gray St., by mail at the same address or by calling 405-366-5320 for Utility payments or 405-366-5339 for permitting and licensing fees. The City was made aware of a potential security event this week involving Click2Gov, a third-party payment software system that processes some payments on behalf of the City. As a precaution, the City has taken down the Click2Gov payment servers and is in the process of implementing a new online payment solution through Paymentus. The new software is anticipated to be online by November 12. The City of Norman takes cyber-security and the public’s data very seriously. The City works on a daily basis to ensure its online systems are secure to the highest extent possible, and the safeguarding of its citizen’s financial information is the City’s highest priority. The City is currently working with CentralSquare, the parent company of Click2Gov, and other third-party experts to determine the scope of the security event. An investigation into the event at Click2Gov by the Federal Bureau of Investigation is ongoing. Once the investigation is complete, all potentially impacted parties will be notified as required by the law. Previous coverage of Click2Gov breaches is linked from here. CORRECTION:  A previous version of this post incorrectly reported that this was the second time Norman, Oklahoma experienced a Click2Gov breach.  This was the only such incident Norman, Oklahoma reported. DataBreaches.net regrets the error.

Port Orange Suspends Online Payment System to Investigate Possible Data Breach Involving Click2Gov

Update:  The original post below was published on October 19, 2019. On January 10, 2020, Port Orange said that they were first notified by CentralSquare on November 6. Yet they had reportedly suspended payment by October 19 to investigate. So why has it taken them so long to make this follow-up announcement? Spectrum News reports that Click2Gov software by CentralSquare Technologies may still pose a risk to municipal governments that use it to allow residents to pay bills. In a press release, city officials said the company that develops its payment system for utilities billing and taxes, Click2Gov, informed them they wanted to investigate “an unconfirmed software issue that may have resulted in vulnerabilities.” Read more on Spectrum News. What is going on? Initially, it sounded like it was only software installations that were locally run and that may not have been updated or patched. But now it seems like there may be another explanation.  And if that’s the case, have all governments using the software been notified or alerted? You can find previous coverage on Click2Gov breaches here. There have also been reports by RiskBasedSecurity, FireEye, and Gemini Advisory, who recently reported on a second wave of breaches.

Eight cities impacted in second wave of Click2Gov breaches – Gemini Advisory

It’s been a rough year for municipalities, and it’s only likely to get worse. While we read more and more reports of school districts becoming victims of ransomware attacks that delayed school openings or caused school closings, we have also read numerous reports of municipal police and law enforcement sites being defaced, and other municipal sites being attacked with ransomware. And then there were the Click2Gov reports. In 2018, this site noted more than four dozen cases of municipalities reporting hacks of their payment portals that used Click2Gov software. CentralSquare Technologies, the manufacturer of Click2Gov, had provided this site with a statement claiming that only municipalities who were self-hosting the software were affected. In the first wave of attacks, Gemini Advisory analysts informed DataBreaches.net that as of December, 2018, more than 300,000 Card Not Present payment card records had been found up for sale on the dark web. The breach reports continued into March, 2019, but for the last six months, there had been no new reports. Until Stanislav Alforov, Gemini Advisory‘s Director of Research, contacted this site recently to report that they had discovered what appeared to be a second wave of attacks involving Click2Gov. In an approximate one-month period, their analysts had found 20,000 payment card records up for sale on the dark web. The records appeared to be linked to 8 cities in five states, and further investigation revealed that these cities were all using Click2Gov. Unfortunately for six of the eight cities, it was the second time they had experienced a breach involving Click2Gov. The eight cities are Deerfield Beach (FL), Palm Bay (FL), Milton (FL), Coral Springs (FL), Bakersfield (CA), Pocatello (ID), Broken Arrow (OK), and Ames (IA). Only Pocatello and Broken Arrow had not experienced previous Click2Gov breaches. Of note, and unlike the first wave when many of those affected had local installations of the software that had not been updated or patched, Gemini’s analysts confirmed that many of the newly affected towns were operating patched and up-to-date Click2Gov systems at the time they experienced a breach. DataBreaches.net contacted CentralSquare Technologies to ask them for their comments on the current situation. In response, they sent a statement that said, in relevant part: We have recently received reports that some consumer credit card data may have been accessed by unauthorized or malicious actors on our customers’ servers. It is important to note that these security issues have taken place only in certain towns and cities. We have immediately conducted an extensive forensic analysis and contacted each and every customer that uses this specific software, and are working diligently with them to keep their systems updated and protected. That statement almost seems to imply that the affected municipalities systems’ had not been updated and properly protected. That statement appears to conflict with Gemini’s findings that the municipalities they spoke with were using updated and patched installations. DataBreaches.net asked CST to confirm whether the “specific software” reference in their statement was to Click2Gov or if it was a reference to some other software.  Their spokesperson confirmed that they were referring to Click2Gov software and added Based on our current investigation, the vulnerability existed for a limited number of Click2Gov customers, and has been closed. At this time, only a small number of customers have reported unauthorized access. Based on Gemini Advisory’s statements to this site and their new report, it sounds like someone did find and exploit a new vulnerability.  And as Gemini Advisory notes in their report, that should not be surprising: Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign. You can read Gemini Advisory’s report here. Update of October 4:  Bakersfield announced that it is terminating its relationship with Click2Gov. Update of November 15:  About 3,500 residents of Pocatello were affected.

NC: Pasquotank-Camden EMS notifies 40,000 after hacking incident

On February 25,  Pasquotank-Camden Emergency Medical Service in North Carolina reported a breach to HHS that affected 20,420 patients.  A notification sent to the Vermont Attorney General’s Office explained that sometime in late December, 2018, the county became aware of an unauthorized intrusion from outside of the U.S.  Investigation revealed that the intruder was able to access files with protected health information, but they found no evidence that data was exfiltrated or misused.  The county notified all those potentially impacted and offered them 12 months of credit monitoring and credit restoration services, should they be needed. A few days later, however, Jon Hawley of the Daily Advance reported on the incident, but reported that it was 40,000 patients affected as per the county’s most recent statement that week.  Hawley also provided additional details, including the facts that the hack had occurred on December 14, that the hacker had erased files, and there had been no ransom demand. Of special note: Hammett said the hacker exploited a vulnerability in the county’s billing software, provided by the company TriTech, and tricked it into considering the hacker a normal user. That allowed the hacker to access records as far back as 2005, though most dated back to 2010, Hammett said. Some of the text files the hacker viewed were thousands of pages long, Hammett said, making it a long process to review what information had been compromised, who should be notified, and how. “Russy,” a regular reader of and contributor to this site, notes that in 2018, TriTech merged with Superion to form CentralSquare. Superion/CentralSquare is the company behind Click2Gov, the billing software many municipalities use. But unless I’m misuinderstanding something, this does not appear to be the same vulnerability involved in Click2Gov breach reports, as Hawley cites the county manager Sparty Hammett as telling him that TriTech “was not aware of the vulnerability, and has closed it. ” Hammett also informed the paper that the county may move EMS data to TriTech’s cloud, rather than store it locally, or switch to another software entirely. EMS Director Jerry Newell  said the data breach did not hinder ambulance response, and the agency was able to quickly restore the lost data.  It sounds like the county had learned important lessons from a previous and severe attack in May, and was now better prepared in a number of ways. Read more on The Daily Advance.

Pompano Beach warned nearly 4,000 residents of data breach involving Click2Gov

Wayne K. Roustan reports: A data breach at a company that handles the billing for municipal water service has Pompano Beach city officials working to minimize the potential damage. Hackers gained unauthorized access to credit or debit card data stored with software company CentralSquare and used for one-time online water bill payments made through the city’s website from Aug. 30 to Dec. 6, officials said. Read more on SunSentinel.