Yet another city reports a Click2Gov breach

Another city has reported a breach involving Click2Gov software by CentralSquare Technologies.  WTVY reports Dothan, Alabama has joined more than four dozen other cities using Click2Gov that have experienced breaches involving payment card data of residents using online payment portals: “It has come to the City of Dothan’s attention that CentralSquare, the third-party processor of online utility payments, via their Click2Gov application, has been compromised via a recent cyber attack,” the city said in a statement. Read more on WTVY.  As with other some other cities we learned about this year, the attack seems to have occurred between August 26 and October 14 of this year.  It’s not clear when Dothan discovered the attack and if they discovered it or whether CentralSquare Technologies alerted them to investigate. The Dothan Eagle has a bit more detail on the attack itself, reporting that CentralSquare Technologies say that the attacker used a “screen scraper” process to steal online customers’ private information. That means Dothan Utilities customers who used stored credit card and address information to pay their bills in that timeframe were not likely subject to the data breach. Customers who typed their information in the system, like those who may have used the one-time payment system or new customers, may still be at risk, Mason said. The firm’s CEO never answered this site’s recent inquiry as to whether this was a second vulnerability affecting cities after August or a previously known issue.  

TX: City of San Angelo investigating Click2Gov breach

John Tufts reports: The City of San Angelo is investigating a security breach with the city’s online water billing system after fears customer’s credit card information may have been stolen. “Some water customers may have noticed irregularities with their credit and debit card accounts after recently paying their monthly statement through the City’s online payment system,” according to a news release issued Wednesday. This latest breach is not the first time San Angelo residents have had to closely monitor their accounts. San Angelo resident’s credit card information from the city’s online water billing services was compromised in August 2018. Read more on GoSanAngelo. And yes, it’s Click2Gov and the city says it is transitioning to a new payment system.

City of Norman, OK temporarily suspends utility payment portal; ditches Click2Gov after another potential security incident

The City of Norman, Oklahoma has suspended its online portal for paying utility bills after they were notified of a potential security incident involving Click2Gov software by CentralSquare Technologies. At this point, the city seems to have had enough with Click2Gov security issues. The city is currently in the process of switching over to another payment processor. The city issued the following press release: All online payments for City of Norman utility services and permitting fees are suspended through November 12 while the City makes an emergency transfer to a new payment processor. Payments may be made in person at 201-C W. Gray St., by mail at the same address or by calling 405-366-5320 for Utility payments or 405-366-5339 for permitting and licensing fees. The City was made aware of a potential security event this week involving Click2Gov, a third-party payment software system that processes some payments on behalf of the City. As a precaution, the City has taken down the Click2Gov payment servers and is in the process of implementing a new online payment solution through Paymentus. The new software is anticipated to be online by November 12. The City of Norman takes cyber-security and the public’s data very seriously. The City works on a daily basis to ensure its online systems are secure to the highest extent possible, and the safeguarding of its citizen’s financial information is the City’s highest priority. The City is currently working with CentralSquare, the parent company of Click2Gov, and other third-party experts to determine the scope of the security event. An investigation into the event at Click2Gov by the Federal Bureau of Investigation is ongoing. Once the investigation is complete, all potentially impacted parties will be notified as required by the law. Previous coverage of Click2Gov breaches is linked from here. CORRECTION:  A previous version of this post incorrectly reported that this was the second time Norman, Oklahoma experienced a Click2Gov breach.  This was the only such incident Norman, Oklahoma reported. DataBreaches.net regrets the error.

More victims of yet another Click2Gov breach this week

Yet another report of a data breach involving Click2Gov software by Central Square Technology. Previous coverage of the publicly disclosed breaches from 2017, 2018, and 2019 are linked from here. Also see research reports by FireEye, Gemini Advisory, and RBS for additional background. The latest victim to come forward — at least the most recent one I’ve found in news — is the U.S. Virgin Islands Water and Power Authority (WAPA). According to The St. Croix Source and The Virgin Islands Consortium, WAPA is reporting a hack that has resulted in an unknown number of victims experiencing credit card or debit card fraud. Here are a few things you need to know about this latest report: WAPA said it first learned of the possible compromise on October 18 and reportedly notified CST that day. That would have been about the same time that Click2Gov was notifying Port Orange to suspend use of the software while they investigated “an unconfirmed software issue that may have resulted in vulnerabilities.” The St. Croix Source reports that WAPA claims that a forensics auditor determined that, at that time (October 18), the payment portal was not compromised. Frankly, that does not sound credible. When a second customer notified WAPA on October 22 of card fraud, WAPA, contacted CST again and CST reportedly later confirmed the cyberattack. According to The St. Croix Source, CST told WAPA that the Click2Gov application was hit by a “never before seen attack.” Central Square reportedly developed and implemented a security fix on October 25. But “never seen before” attack? Was this or wasn’t this the same issue CST was investigating related to Port Orange in Florida? And was this the same issue that resulted in eight cities disclosing breaches in August?  How many different issues has CST identified that resulted in actual hacks? DataBreaches.net sent an inquiry to CST last night. This post will be updated when a response is received.

Port Orange Suspends Online Payment System to Investigate Possible Data Breach Involving Click2Gov

Update:  The original post below was published on October 19, 2019. On January 10, 2020, Port Orange said that they were first notified by CentralSquare on November 6. Yet they had reportedly suspended payment by October 19 to investigate. So why has it taken them so long to make this follow-up announcement? Spectrum News reports that Click2Gov software by CentralSquare Technologies may still pose a risk to municipal governments that use it to allow residents to pay bills. In a press release, city officials said the company that develops its payment system for utilities billing and taxes, Click2Gov, informed them they wanted to investigate “an unconfirmed software issue that may have resulted in vulnerabilities.” Read more on Spectrum News. What is going on? Initially, it sounded like it was only software installations that were locally run and that may not have been updated or patched. But now it seems like there may be another explanation.  And if that’s the case, have all governments using the software been notified or alerted? You can find previous coverage on Click2Gov breaches here. There have also been reports by RiskBasedSecurity, FireEye, and Gemini Advisory, who recently reported on a second wave of breaches.

Eight cities impacted in second wave of Click2Gov breaches – Gemini Advisory

It’s been a rough year for municipalities, and it’s only likely to get worse. While we read more and more reports of school districts becoming victims of ransomware attacks that delayed school openings or caused school closings, we have also read numerous reports of municipal police and law enforcement sites being defaced, and other municipal sites being attacked with ransomware. And then there were the Click2Gov reports. In 2018, this site noted more than four dozen cases of municipalities reporting hacks of their payment portals that used Click2Gov software. CentralSquare Technologies, the manufacturer of Click2Gov, had provided this site with a statement claiming that only municipalities who were self-hosting the software were affected. In the first wave of attacks, Gemini Advisory analysts informed DataBreaches.net that as of December, 2018, more than 300,000 Card Not Present payment card records had been found up for sale on the dark web. The breach reports continued into March, 2019, but for the last six months, there had been no new reports. Until Stanislav Alforov, Gemini Advisory‘s Director of Research, contacted this site recently to report that they had discovered what appeared to be a second wave of attacks involving Click2Gov. In an approximate one-month period, their analysts had found 20,000 payment card records up for sale on the dark web. The records appeared to be linked to 8 cities in five states, and further investigation revealed that these cities were all using Click2Gov. Unfortunately for six of the eight cities, it was the second time they had experienced a breach involving Click2Gov. The eight cities are Deerfield Beach (FL), Palm Bay (FL), Milton (FL), Coral Springs (FL), Bakersfield (CA), Pocatello (ID), Broken Arrow (OK), and Ames (IA). Only Pocatello and Broken Arrow had not experienced previous Click2Gov breaches. Of note, and unlike the first wave when many of those affected had local installations of the software that had not been updated or patched, Gemini’s analysts confirmed that many of the newly affected towns were operating patched and up-to-date Click2Gov systems at the time they experienced a breach. DataBreaches.net contacted CentralSquare Technologies to ask them for their comments on the current situation. In response, they sent a statement that said, in relevant part: We have recently received reports that some consumer credit card data may have been accessed by unauthorized or malicious actors on our customers’ servers. It is important to note that these security issues have taken place only in certain towns and cities. We have immediately conducted an extensive forensic analysis and contacted each and every customer that uses this specific software, and are working diligently with them to keep their systems updated and protected. That statement almost seems to imply that the affected municipalities systems’ had not been updated and properly protected. That statement appears to conflict with Gemini’s findings that the municipalities they spoke with were using updated and patched installations. DataBreaches.net asked CST to confirm whether the “specific software” reference in their statement was to Click2Gov or if it was a reference to some other software.  Their spokesperson confirmed that they were referring to Click2Gov software and added Based on our current investigation, the vulnerability existed for a limited number of Click2Gov customers, and has been closed. At this time, only a small number of customers have reported unauthorized access. Based on Gemini Advisory’s statements to this site and their new report, it sounds like someone did find and exploit a new vulnerability.  And as Gemini Advisory notes in their report, that should not be surprising: Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign. You can read Gemini Advisory’s report here. Update of October 4:  Bakersfield announced that it is terminating its relationship with Click2Gov. Update of November 15:  About 3,500 residents of Pocatello were affected.

Pompano Beach warned nearly 4,000 residents of data breach involving Click2Gov

Wayne K. Roustan reports: A data breach at a company that handles the billing for municipal water service has Pompano Beach city officials working to minimize the potential damage. Hackers gained unauthorized access to credit or debit card data stored with software company CentralSquare and used for one-time online water bill payments made through the city’s website from Aug. 30 to Dec. 6, officials said. Read more on SunSentinel.

VA: Notice of Click2Gov-related Data Breach of Hanover County Online Payment System

From the county’s notice, which you can find in its entirety here: Hanover County was recently notified about potential unauthorized charges on credit cards used by customers to pay their utility bills via the website between August 1, 2018 and January 9, 2019. The County takes the security and protection of its customers’ confidential information seriously. What Happened On January 9, 2019, Gemini Advisory, a group that monitors internet websites for exposed credit card information, notified County staff that credit card information used to make online payments through Hanover’s Central Square Click2Gov system had been compromised. A vulnerability that the County was unaware of allowed this credit card information to be taken during transactions by unauthorized individuals. The County immediately validated the claim and isolated the Click2Gov system from public access to try to find what information had been compromised and whether the County’s system was still vulnerable. The County has been working with MS-ISAC and CERT, outside agencies that deal with information breaches, to complete a full forensic analysis of what occurred. The County is also working with the software company and has built a new Click2Gov server using different software than the program that was involved in the original breach. Working with information received from Gemini Advisory we have been able to confirm the exposure of credit card information used to make online payments with the Click2Gov system. What Information Was Involved The County has reason to believe that all credit card information entered into the Click2Gov system for utility and building inspection payments between approximately August 1, 2018 and January 9, 2019 may be at risk. This information includes customer names, credit card number, and expiration dates. Payments made over the phone and automatic withdrawals were notaffected; only payments made online through the Click2Gov portal were compromised.

Click2Gov breach in parking payment system in Canada might have exposed personal information

Shane Ross of CBC reports: Saint John has shut down its online system used to pay parking tickets after discovering a data breach that could have exposed customer names, addresses and credit card information. […] The city uses a third-party software product called Click2Gov from its service provider, CentralSquare Technologies, to provide customers with the ability to pay parking tickets through the city website. Read more on CBC.