CentralSquare settles one Click2Gov data breach lawsuit

Between 2018 and the end of 2020, DataBreaches published dozens of news reports on municipal breaches involving CentralSquare’s ClicktoGov software. The software allows residents to pay utility bills or other municipal bills online. Now Top Class Actions reports that CentralSquare has agreed to pay $1.9 million to settle litigation by some consumers. Consumers whose credit or debit card was used to make payments through the CentralSquare Click2Gov payment portal between Jan. 1, 2017, and Dec. 31, 2019 may be eligible for some compensation. Plaintiffs filed this CentralSquare class action lawsuit after the company announced a data breach in October 2017. The case is Doughty, et al. v. CentralSquare Technologies, LLC, et al., Case No. 5:20-cv-00500-G in the District Court for the Western District of Oklahoma The final hearing on the settlement will be October 7, 2022.  Details can be found on the settlement website at CSTSettlement.com. According to Top Class Actions: In addition to providing settlement benefits to eligible class members, CentralSquare has also agreed to implement stronger security measures to protect user data. The company will maintain a hotline for employees to report concerns about CentralSquare’s security systems, engage a third-party vendor to audit its data security, and engage an outside consultant to conduct an annual risk assessment to identify data security risks. Other lawsuits were filed after this lawsuit, and DataBreaches is not aware of their status at this time. For this site’s previous coverage on the breaches, search for “CentralSquare”  and “Click2Gov.“

TX: Odessa residents suffer from second Click2Gov breach

Joshua Skinner reports: The city of Odessa recently had a data breach involving its online payment web portal, and this isn’t the first time it’s happened. The breach only affected users of the online Click2Gov system who made one-time payments for utility bills. Odessa uses Click2Gov as third-party provider software that allows people to pay their utility bills online. The data breach lasted from mid-April to late-June and is the second data breach on the system within the last year. Read more on CBS7.

Update on Click2Gov incident in Palm Bay

The city of Palm Bay has apparently had enough of Click2Gov concerns and is parting company with their vendor. According to a report on Hometown News, the city has received an update from Central Square about the potential breach it learned about on June 29: Central Square has identified a security vulnerability within their system; however, they have been unable to find evidence that user data was accessed. While there has been no evidence that user data was compromised, Central Square has notified all major credit bureaus of the security vulnerability as a precaution and will offer free credit card monitoring services for impacted customers. Read more on Hometown News.

OR: The City of Bend discloses Click2Gov breach

The City of Bend was recently informed that a potential data security incident may have compromised the payment card information of some City utility customers who made one-time utility bill payments or enrolled in auto pay using a credit or debit card between August 30, 2019 and October 14, 2019. The data that may have been affected could include the cardholder’s name, card billing address, card number, card type, card security code and card expiration date. Other personal information such as Social Security numbers or government-issued identification numbers were not affected by this incident. The City of Bend does not collect that information for utility billing purposes. City utility customers who signed up for auto pay by credit/debit card or bank drafts before August 30, 2019 or after October 14, 2019, and customers who paid in person or by check, are not affected. The City learned of the potential security incident from CentralSquare, the third-party vendor that manages and operates the City’s online utility payment portal, known as Click2Gov. CentralSquare determined that malicious code may have been inserted into the Click2Gov software which could have allowed an unauthorized party to copy personal payment card information from customers who logged into the system to make a one-time credit card payment or to enroll in auto pay between August 30, 2019 and October 14, 2019. Existing auto pay customers were not affected. The City has worked with CentralSquare to remove the malicious code from Click2Gov to ensure that this incident is not ongoing and has implemented additional security measures to help mitigate future risk. This incident involved Click2Gov’s software. It was not due to a vulnerability of the City’s infrastructure, systems, or security. “Data privacy and security for our customers are high priorities, and we are taking this situation very seriously,” said Chief Innovation Officer Stephanie Betteridge.  “We are doing everything we can to mitigate the situation, serve our customers and protect against future incidents.” The City is working with CentralSquare, a third-party forensic investigator, outside legal counsel, and local and federal law enforcement to evaluate the nature and scope of the incident. The investigation is ongoing. We are in the process of notifying the individuals who may be affected directly by mail. Letters are expected to be mailed this week. The City has plans in place to migrate to a new payment processing services provider in the near future. Customers who made one-time payments or enrolled in auto pay between August 30, 2019 and October 14, 2019 should monitor their financial accounts and promptly report any suspicious activity to their banks. Those customers will also be offered one year of credit and identity-monitoring services at no cost. Customers who may have questions or would like more information may visit our website at www.bendoregon.gov/data-advisory. We have also established a dedicated call center to address customer concerns, which can be reached at (844) 987-1209 from 8:00 a.m. to 5:00 p.m. Pacific Time, Monday through Friday, excluding holidays. Source: City of Bend, Oregon. The Bend Bulletin reports that about 5,000 people may have been impacted.

CO: Aurora Water announces data breach involving Click2Gov payment system

Author: Janet Oravetz reports: Personal information of some Aurora Water customers, such as names, card numbers and expiration dates, may have been compromised through a data breach, according to the city’s water department. The department made an announcement about the security incident on Monday and said customers who used the Click2Gov payment system to make one-time payments or set up recurring payments between Aug. 30 and Oct. 14 were impacted. Read more on 9News.

Marietta utility customer data found on dark web after Click2Gov security breach

Ross Williams reports that about 8,800 Marietta, Georgia utility customers may have had their credit card info compromised by the kind of Click2Gov breach we’ve been hearing about since this summer.  As in some other reports, their data — or data that is likely to come from this incident — has already been found on the dark web. Read more on MDJ.

Another Click2Gov victim is revealed in Texas

Add Sugarland, Texas to any list you are keeping of Click2Gov breach victims.  As with other entities in the second wave of attacks, those residents who used the payment portal to make one-time payments seem to have fallen prey to the attackers.  And as with a number of other CentralSquare Technologies Click2Gov customers, Sugarland will be using a new payment system to be installed in 2020. Sugarland was reportedly notified of the breach on October 25, but the full extent was not known until December 12, according to the Houston Chronicle’s reporting. DataBreaches.net has sent an inquiry to Gemini Advisory to find out if they found cards from this one up for sale, and may update this post when I get an answer from them.  

TX: City of Odessa notifies residents of Click2Gov breach

Seen on the city’s website: Post Date:12/12/2019 4:54 PM Click2Gov Security Breach ODESSA – We have learned of a data security incident that occurred between August 27, 2019 and October 14, 2019 that involved some of our customers’ credit/debit card information. The City of Odessa utilizes a third-party software product called Click2Gov to provide our customers with the ability to pay utility bills online via the Internet. The breach occurred with our third-party provider Click2Gov and not with the City of Odessa. On Wednesday, December 11, 2019, the Click2Gov vendor informed the City of the breach. The breach only affected users of the online Click2Gov system who made one-time (not recurring) payments for utility bills. Any payments made in person, via the phone system, via E-Check or to any other city systems were not impacted. The City of Odessa takes protection of our data systems very seriously and constantly updates all our systems so that risks to our customer data can be minimized. The Click2Gov system had security updates applied to it several times throughout the year. In addition, the City also performs internal and external testing to ensure that the systems are not prone to any known vulnerabilities. Letters will be sent to our customers that we know performed one-time payments through Click2Gov during the time frame stated above. If you think you have been affected: -As a first step, we recommend that you closely monitor your financial accounts and if you see any unauthorized activity, promptly contact your financial institution. We also suggest that you submit a complaint with the Federal Trade Commission by calling 1 (877) 438-4338 (1-877-IDTHEFT) or online at www.ftccomplaintassistant.gov -As a second step, you may want to contact the three U.S. credit reporting agencies (Equifax, Experian, and TransUnion) to obtain a free credit report from each by calling 1 (877) 322-8228 or by logging onto www.annualcreditreport.com Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit reports periodically can help you spot a problem and address it quickly.

Cucamonga Valley Water District discloses Click2Gov breach

From the Cucamonga Valley Water District website, a Dec. 4 notification: Cucamonga Valley Water District (CVWD) was recently informed of a data breach of the Click2Gov web portal used by CVWD customers for one-time credit card payments. CVWD values its customers and respects the privacy of their information, which is why, as a precautionary measure, we are proactively letting affected customers know about a data security incident that may have involved their personal information. Between August 26, 2019, and October 14, 2019, a server that is used to accept one-time credit card payments from customers was breached allowing unauthorized access. This server is maintained and operated by an outside vendor of CVWD, Central Square. Upon becoming aware of the incident, Central Square investigated with the assistance of a leading cybersecurity firm. The investigation revealed the possibility that credit card payment information could have been collected. However, they were unable to find conclusive evidence that CVWD customer’s personal information was actually collected by any unauthorized party. Central Square has taken steps to remove the possibility of any further unauthorized access of the Click2Gov web payment portal. This breach happened with an outside vendor, Central Square, which CVWD uses for customer payments. The relationship with this vendor and the vendor’s protocols are being re-evaluated by CVWD. As an added precaution, Central Square is offering to provide CVWD customers with a twelve-month subscription to a credit monitoring service offered through TransUnion. Customers identified as potentially having their data accessed will be receiving letters directly from CVWD with additional details. The breach does not affect all CVWD customers. CVWD regrets this situation and any inconvenience or concern it may have caused our customers. CVWD is committed to providing quality service, including protecting our customer’s personal information, and we want to assure our customers that we have policies and procedures in place to protect your privacy. For more information, please call Epiq at 855-930-0684 for assistance or CVWD’s Customer Service team at 855-654-2893.