Stolen Credit Card Data from City Parking Systems Sold on the Dark Web

Bruno reports: The hackers of the city parking fine system in Saint John, Canada have been selling sensitive data on the dark web for over a year. The security breach in the system was not spotted for 15 months after the initial attack, which ultimately allowed the hackers to gain personal information and credit card numbers of 6,000 Canadian residents. Read more on DarkWebNews. The report left me confused– not because the reporting was confusing, but because Saint John didn’t seem to have known about the breach when it seems that they likely should have known about it. reached out to Gemini Advisory, who had issued a report on the Click2Gov breach in December. They provided the following statement, which includes a very troubling allegation: We identified various affected cities in our initial findings related to the Click2Gov Breach, and we sent all of this information to CentralSquare Technologies (CST) on November 28, before we published any information about this breach online. It appeared that from all of the information we provided, CST only reached out to and notified the city of Topeka, Kansas. After a few email exchanges and halted responses from CST, we pushed out our full blog, which covered the breach and all of the affected cities. Our blog was picked up by various news outlets, including ITworld. A week or so afterward, the city of Saint John reached out to us directly. While the city initially communicated that it was not aware of any breach of its Click2Gov portal, after Gemini turned over all of its findings to the city, Saint John pushed a breach notification message to its residents. We have also reached out directly to Hanover County to notify it that it is a victim of the Click2Gov breach since the county’s compromised payment card information was posted for sale several weeks after our publication. Shortly after receiving our information and after conducting an internal analysis, Hanover Country sent out a breach notification to its residents. At this time, Gemini Advisory has turned over all of its findings to US Federal Law Enforcement for further analysis and for further victim notification. reached out to CentralSquare Technologies to ask them to respond to the allegation that they had not notified the entities Gemini Advisory had found to be compromised. They sent the following statement in response: Throughout last year and this year, we took proactive steps to keep all of our customers informed while working with them to keep their local on-premise systems updated and protected. It is important to note that these security issues have taken place only in on-premise environments in certain towns and cities that choose to host their own systems locally. No customer in the CentralSquare Cloud has faced these issues, even when they are using the same software. We continually work with each customer to help identify risk, while working with them to apply the latest patches and updates available for these systems, including patches for the third-party software that contributed to the issue. For security and confidentiality reasons, we cannot disclose any information about our customers, their environments or their security. So is that an actual denial of Gemini’s claim that only one entity was notified by CST?  If Gemini notified CST on November 28,  how is it that Saint John wasn’t notified and had to find out from a media report? Note that it was not just Gemini that attempted to notify CST.  A spokesperson for FireEye tells Superion, now Central Square Technologies, was provided an advanced copy of the FireEye blog ‘Click It Up: Targeting Local Government Payment Portals‘, published on September 19, 2018. Representatives of the company did not comment on the blog prior to publication. In a follow-up response, the spokesperson clarified that Superion never responded directly at all to the advanced copy of the blog, although FireEye did get a read receipt. Should the FTC and/or state attorneys general be investigating this widespread incident? I would hope that some regulator is at least looking into it, especially if we are being told that no less than two firms tried to give them the heads up and valuable information that might have protected municipalities. As always, coverage will be updated as more information becomes available.

Click2Gov breach in parking payment system in Canada might have exposed personal information

Shane Ross of CBC reports: Saint John has shut down its online system used to pay parking tickets after discovering a data breach that could have exposed customer names, addresses and credit card information. […] The city uses a third-party software product called Click2Gov from its service provider, CentralSquare Technologies, to provide customers with the ability to pay parking tickets through the city website. Read more on CBC.

Almost four dozen Click2Gov breaches later and almost 300,000 affected; data showing up on dark web – report

Jeff John Roberts reports on a new report and analysis by Gemini Advisory: Paying parking tickets or municipal water taxes is never fun—and it’s even worse when hackers have compromised your town’s payment system. Yet, that’s what happened in dozens of towns across the U.S. where cyber crooks have made off with the personal data of nearly 300,000 people. Security research firm Gemini Advisory published a report Tuesday that provides new details on how vulnerabilities in Click2Gov, a widely used type of government payment software, has affected towns from Oceanside, Calif. to Sarasota, Fla. Read more on Fortune.  You can access the Gemini Advisory report here.   The report partially addresses one of the questions I have repeatedly asked in my posts about these breaches.  As to why this continues to happen, Gemini reports: According to CentralSquare Technologies, the initial vulnerability which was identified in 2017 had been successfully mitigated, with all users being advised to deploy the software patch as soon as possible. However, it appears that the attackers uncovered another undetected vulnerability, which has yet to be patched.   

IA: Data breach found in city of Ames’ parking ticket payment system. It’s Click2Gov, again.

The Ames Tribune reports on yet another breach report involving Click2Gov (by CentralSquare Technologies): A data breach to the city’s parking ticket payment system may have affected 4,600 customers who paid a city-issued ticket on the city’s online payment system between Aug. 10 and Nov. 19, city officials said Friday in a news release. […] The city was notified on Nov. 18 that the system, which links to a third-party vendor (Click2Gov) may have been breached. City IT staff notified the vendor and initiated a series of customer safety steps, the release stated. Why is this still happening? Was the city notified earlier this year about any vulnerabilities that needed to be patched or software updates that were needed? And how many more Click2Gov breaches have we yet to hear about? h/t, Russy

City of Bakersfield announces data breach from hacked Click2Gov system

Another Click2Gov breach, this time affecting up to 2400 residents of the City of Bakersfield. The city’s statement, below, doesn’t indicate whether they were ever warned by CentralSquare Technologies, and if so, what they had done in response. has filed under freedom of information to try to obtain more records showing what CST had told the city and when. Notice to Individuals Regarding Privacy Incident Involving the City of Bakersfield NOTICE OF DATA BREACH The City of Bakersfield (“Bakersfield”) values the relationship it has with its customers and understands the importance of protecting their information.  This notice relates to information of some of its customers. What Happened After receiving reports that fraudulent activity was detected on payment cards used legitimately on our website, Bakersfield immediately launched an investigation. Through our investigation, we determined that an unauthorized party had inserted unauthorized code into Bakersfield’s online payment system, Click2Gov, which is developed by its third-party vendor, CentralSquare Technologies (“CentralSquare”). The unauthorized code was designed to capture payment card data and other information entered on Bakersfield’s Click2Gov online payment system between the dates of August 11, 2018 and October 1, 2018. Upon learning of the unauthorized code, Bakersfield began working with CentralSquare to remove the unauthorized code from our website’s Click2Gov online payment system. What Information Was Involved The information entered on the Click2Gov online payment system on Bakersfield’s website includes name, address, email address, payment card number, expiration date, and card security code (CVV). What We Are Doing Upon learning of the incident, Bakersfield worked swiftly to address the issue by immediately removing the malicious code from the Click2Gov online payment system on our website and initiating an expanded security review with CentralSquare. To prevent another incident, we are enhancing our existing security protocols and re-educating our vendors on the importance of protecting personal information. Bakersfield also contacted law enforcement and is continuing to support law enforcement’s investigation. What You Can Do We remind you to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized charges. You should immediately report any unauthorized charges to your card issuer because payment card network rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Bakersfield will begin mailing letters to the potentially affected individuals on November 12, 2018, and Bakersfield has established a dedicated call center to answer any questions. If you believe you may be affected by this incident but did not receive a letter by November 26, 2018, call (888) 278-8028 Monday through Friday, between 9:00 a.m and 6:00 p.m., Pacific Time. ADDITIONAL STEPS YOU CAN TAKE The City of Bakersfield recommends that you remain vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity.  You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To orderyour annual free credit report, please visit or call toll free at 1-877-322-8228.  Contact information for the three nationwide credit reporting companies is as follows: Equifax, PO Box 740241, Atlanta, GA 30374,, 1-800-685-1111 Experian, PO Box 2002, Allen, TX 75013,, 1-888-397-3742 TransUnion, PO Box 2000, Chester, PA 19016,, 1-800-916-8800 If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in yourstate. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report.  Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records.  Contact information for the Federal Trade Commission is as follows: Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC20580,, 1-877-IDTHEFT (438-4338)