Another city has reported a breach involving Click2Gov software by CentralSquare Technologies. WTVY reports Dothan, Alabama has joined more than four dozen other cities using Click2Gov that have experienced breaches involving payment card data of residents using online payment portals: “It has come to the City of Dothan’s attention that CentralSquare, the third-party processor of online utility payments, via their Click2Gov application, has been compromised via a recent cyber attack,” the city said in a statement. Read more on WTVY. As with other some other cities we learned about this year, the attack seems to have occurred between August 26 and October 14 of this year. It’s not clear when Dothan discovered the attack and if they discovered it or whether CentralSquare Technologies alerted them to investigate. The Dothan Eagle has a bit more detail on the attack itself, reporting that CentralSquare Technologies say that the attacker used a “screen scraper” process to steal online customers’ private information. That means Dothan Utilities customers who used stored credit card and address information to pay their bills in that timeframe were not likely subject to the data breach. Customers who typed their information in the system, like those who may have used the one-time payment system or new customers, may still be at risk, Mason said. The firm’s CEO never answered this site’s recent inquiry as to whether this was a second vulnerability affecting cities after August or a previously known issue.
KBTX reports that College Station, Texas is warning utility customers about a potential Click2Gov breach. Read more on KBTX.
John Tufts reports: The City of San Angelo is investigating a security breach with the city’s online water billing system after fears customer’s credit card information may have been stolen. “Some water customers may have noticed irregularities with their credit and debit card accounts after recently paying their monthly statement through the City’s online payment system,” according to a news release issued Wednesday. This latest breach is not the first time San Angelo residents have had to closely monitor their accounts. San Angelo resident’s credit card information from the city’s online water billing services was compromised in August 2018. Read more on GoSanAngelo. And yes, it’s Click2Gov and the city says it is transitioning to a new payment system.
The City of Norman, Oklahoma has suspended its online portal for paying utility bills after they were notified of a potential security incident involving Click2Gov software by CentralSquare Technologies. At this point, the city seems to have had enough with Click2Gov security issues. In June 2018, the city reported that about 2,300 residents may have been impacted by a breach involving Click2Gov. The city is currently in the process of switching over to another payment processor. Norman is not the only city to have had two breaches involving Click2Gov. Other 2x victims were previously reported here. The city issued the following press release: All online payments for City of Norman utility services and permitting fees are suspended through November 12 while the City makes an emergency transfer to a new payment processor. Payments may be made in person at 201-C W. Gray St., by mail at the same address or by calling 405-366-5320 for Utility payments or 405-366-5339 for permitting and licensing fees. The City was made aware of a potential security event this week involving Click2Gov, a third-party payment software system that processes some payments on behalf of the City. As a precaution, the City has taken down the Click2Gov payment servers and is in the process of implementing a new online payment solution through Paymentus. The new software is anticipated to be online by November 12. The City of Norman takes cyber-security and the public’s data very seriously. The City works on a daily basis to ensure its online systems are secure to the highest extent possible, and the safeguarding of its citizen’s financial information is the City’s highest priority. The City is currently working with CentralSquare, the parent company of Click2Gov, and other third-party experts to determine the scope of the security event. An investigation into the event at Click2Gov by the Federal Bureau of Investigation is ongoing. Once the investigation is complete, all potentially impacted parties will be notified as required by the law. Previous coverage of Click2Gov breaches is linked from here.
Yet another report of a data breach involving Click2Gov software by Central Square Technology. Previous coverage of the publicly disclosed breaches from 2017, 2018, and 2019 are linked from here. Also see research reports by FireEye, Gemini Advisory, and RBS for additional background. The latest victim to come forward — at least the most recent one I’ve found in news — is the U.S. Virgin Islands Water and Power Authority (WAPA). According to The St. Croix Source and The Virgin Islands Consortium, WAPA is reporting a hack that has resulted in an unknown number of victims experiencing credit card or debit card fraud. Here are a few things you need to know about this latest report: WAPA said it first learned of the possible compromise on October 18 and reportedly notified CST that day. That would have been about the same time that Click2Gov was notifying Port Orange to suspend use of the software while they investigated “an unconfirmed software issue that may have resulted in vulnerabilities.” The St. Croix Source reports that WAPA claims that a forensics auditor determined that, at that time (October 18), the payment portal was not compromised. Frankly, that does not sound credible. When a second customer notified WAPA on October 22 of card fraud, WAPA, contacted CST again and CST reportedly later confirmed the cyberattack. According to The St. Croix Source, CST told WAPA that the Click2Gov application was hit by a “never before seen attack.” Central Square reportedly developed and implemented a security fix on October 25. But “never seen before” attack? Was this or wasn’t this the same issue CST was investigating related to Port Orange in Florida? And was this the same issue that resulted in eight cities disclosing breaches in August? How many different issues has CST identified that resulted in actual hacks? DataBreaches.net sent an inquiry to CST last night. This post will be updated when a response is received.