Almost four dozen Click2Gov breaches later and almost 300,000 affected; data showing up on dark web – report
Jeff John Roberts reports on a new report and analysis by Gemini Advisory: Paying parking tickets or municipal water taxes is never fun—and it’s even worse when hackers have compromised your town’s payment system. Yet, that’s what happened in dozens of towns across the U.S. where cyber crooks have made off with the personal data of nearly 300,000 people. Security research firm Gemini Advisory published a report Tuesday that provides new details on how vulnerabilities in Click2Gov, a widely used type of government payment software, has affected towns from Oceanside, Calif. to Sarasota, Fla. Read more on Fortune. You can access the Gemini Advisory report here. The report partially addresses one of the questions I have repeatedly asked in my posts about these breaches. As to why this continues to happen, Gemini reports: According to CentralSquare Technologies, the initial vulnerability which was identified in 2017 had been successfully mitigated, with all users being advised to deploy the software patch as soon as possible. However, it appears that the attackers uncovered another undetected vulnerability, which has yet to be patched.
Another Click2Gov breach? Why is this still happening?
Hays Post reports: Authorities are investigating a data breach that may have affected hundreds of customers in Kansas. On Friday, the City of Topeka was notified by their Utility Billing Payment System software vendor Central Square that the city had been a potential victim cyber-attack, according to a media release. This potential data breach has not been confirmed at this time. Read more on Hays Post. The city’s notification on their website follows: City of Topeka Potential Victim of a Cyber-AttackDecember 10, 2018 On the afternoon of December 7th, the City of Topeka was notified by our Utility Billing Payment System software vendor Central Square that the City of Topeka has been a potential victim cyber-attack. This potential data breach has not been confirmed at this time. Central Square has turned over their information to a forensics investigator to confirm the potential breach of the City of Topeka Utility Billing Payment System. On Saturday, December 8th the City of Topeka Information Technology team went through the data breach system and did not see any malicious activity. As a potential victim of a cyber-attack, the City of Topeka wants to keep our costumers information safe and city Information Technology staff worked with the software vendor on December 7th to transition the current online Utility Billing Payment System to a more secure platform as advised by the software vendor. Local law enforcement and the FBI have been notified of the potential breach. The City of Topeka is working with very limited information at this time regarding the potential cyber-attack. The data breach occurred between October 31st and December 7th. The data breach would affect any City of Topeka Utilities customer who made a one-time payment or set up autopay during this time. E-checks and customers who set up autopay before October 31st will not be affected. While this potential compromise has not been confirmed by a qualified forensic investigator yet, the City is strongly recommending, as a precautionary measure, customers who make credit card or debit card transactions using the online Utility Billing Payment System between October 31st and December 7th to contact their credit card issuer for advice related to the potential exposure of their credit card information. As the potential victim of a cyber-attack, the City of Topeka has identified that up to 10,000 customers have been potentially impacted by the data breach. City of Topeka Utilities Department will be sending a letter to customers whose information has potentially been impacted. Information on the potential breach will be on the City of Topeka website front page and updated as information becomes available. You can find more information on how to respond to a data breach at: https://www.ftc.gov/data-breach-resources
Indio Water Authority notifies residents of Click2Gov breach
In reviewing the Click2Gov breaches, I just discovered another one from October that I hadn’t posted on this site. Let’s remedy that now. Statement on Click2Gov Data Security Incident INDIO, CA (October 12, 2018) – Indio Water Authority (IWA) was informed in September of a cybersecurity incident potentially affecting the credit card information of customers who made a one-time water bill payment through Click2Gov, a third party that provides online payment support services to IWA and many public agencies across the country. As soon as we were notified of the incident, we immediately shut down the IWA side of the online payment system and launched a thorough investigation with the software vendor and a third-party forensic firm. As a result of that investigation, we believe that the credit card information of customers who made one-time water bill payments through Click2Gov between January 1, 2017, and August 13, 2018, could have been impacted. The breach may have included their name, payment card number, expiration date, and security code. Other details such as Social Security numbers and driver’s license information is not entered or stored on Click2Gov and is not part of this incident. Data security is of critical importance to IWA, and we take any matter related to our customers’ information seriously. From the start, our top priority was to quickly identify and notify customers who may be affected and assist them in every way possible. The forensic and legal review process is now complete and notifications prepared in accordance with the Federal Trade Commission guide to data breach response have been mailed to customers who may have been impacted. To prevent another incident and better protect the personal information entrusted to us, IWA is enhancing existing security protocols, re-educating vendors on the importance of timely fixes of vulnerabilities and verifying those fixes. In addition, IWA recently added security features to its Web Portal to protect customers’ privacy, providing a more secure and improved customer experience. We deeply regret any inconvenience and stress this incident may have caused some of our customers. Please be assured that we will continue to be vigilant in working to prevent incidents like this from happening in the future.
IA: Data breach found in city of Ames’ parking ticket payment system. It’s Click2Gov, again.
The Ames Tribune reports on yet another breach report involving Click2Gov (by CentralSquare Technologies): A data breach to the city’s parking ticket payment system may have affected 4,600 customers who paid a city-issued ticket on the city’s online payment system between Aug. 10 and Nov. 19, city officials said Friday in a news release. […] The city was notified on Nov. 18 that the system, which links to a third-party vendor (Click2Gov) may have been breached. City IT staff notified the vendor and initiated a series of customer safety steps, the release stated. Why is this still happening? Was the city notified earlier this year about any vulnerabilities that needed to be patched or software updates that were needed? And how many more Click2Gov breaches have we yet to hear about? h/t, Russy
City of Bakersfield announces data breach from hacked Click2Gov system
Another Click2Gov breach, this time affecting up to 2400 residents of the City of Bakersfield. The city’s statement, below, doesn’t indicate whether they were ever warned by CentralSquare Technologies, and if so, what they had done in response. DataBreaches.net has filed under freedom of information to try to obtain more records showing what CST had told the city and when. Notice to Individuals Regarding Privacy Incident Involving the City of Bakersfield NOTICE OF DATA BREACH The City of Bakersfield (“Bakersfield”) values the relationship it has with its customers and understands the importance of protecting their information. This notice relates to information of some of its customers. What Happened After receiving reports that fraudulent activity was detected on payment cards used legitimately on our website, Bakersfield immediately launched an investigation. Through our investigation, we determined that an unauthorized party had inserted unauthorized code into Bakersfield’s online payment system, Click2Gov, which is developed by its third-party vendor, CentralSquare Technologies (“CentralSquare”). The unauthorized code was designed to capture payment card data and other information entered on Bakersfield’s Click2Gov online payment system between the dates of August 11, 2018 and October 1, 2018. Upon learning of the unauthorized code, Bakersfield began working with CentralSquare to remove the unauthorized code from our website’s Click2Gov online payment system. What Information Was Involved The information entered on the Click2Gov online payment system on Bakersfield’s website includes name, address, email address, payment card number, expiration date, and card security code (CVV). What We Are Doing Upon learning of the incident, Bakersfield worked swiftly to address the issue by immediately removing the malicious code from the Click2Gov online payment system on our website and initiating an expanded security review with CentralSquare. To prevent another incident, we are enhancing our existing security protocols and re-educating our vendors on the importance of protecting personal information. Bakersfield also contacted law enforcement and is continuing to support law enforcement’s investigation. What You Can Do We remind you to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized charges. You should immediately report any unauthorized charges to your card issuer because payment card network rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Bakersfield will begin mailing letters to the potentially affected individuals on November 12, 2018, and Bakersfield has established a dedicated call center to answer any questions. If you believe you may be affected by this incident but did not receive a letter by November 26, 2018, call (888) 278-8028 Monday through Friday, between 9:00 a.m and 6:00 p.m., Pacific Time. ADDITIONAL STEPS YOU CAN TAKE The City of Bakersfield recommends that you remain vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To orderyour annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows: Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111 Experian, PO Box 2002, Allen, TX 75013, www.experian.com, 1-888-397-3742 TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-916-8800 If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in yourstate. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows: Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC20580, www.ftc.gov/idtheft, 1-877-IDTHEFT (438-4338)
St. Petersburg timeline on Click2Gov raises questions as to whether the vendor was proactive or not
I have commented on the Click2Gov breach a few times — mostly wondering aloud why so many customers do not seem to have been made aware that they needed to update immediately, etc. Both RBS and FireEye have both discussed the Click2Gov incident in more depth. But now look at this disclosure from St. Petersburg, which I am reproducing in full below. The timeline raises a lot of questions, I think. We have learned of a data security incident that occurred between August 11, 2018 and September 25, 2018 that involved some of our customers’ credit card information. The City of St. Petersburg utilizes a third-party software product called Click2Gov to provide our customers with the ability to pay utility bills, parking tickets, business licenses, building permits, and civil citations online via the Internet. On Thursday, Sept 27, 2018 the Click2Gov vendor informed the city that they had found malicious software on the server. Our payment site was immediately shut down to prevent access. The city preserved the existing system for forensic analysis and immediately worked with our vendor to build a new system. By 1:30 pm on Friday, Sept 28, 2018 the city had a new system configured and was back in a fully operational mode. Timeline of events Contacted the vendor regarding Ormond Beach press release “Online Utility Billing Payment System Potential Breach 10/13/17 Requested vendor to review our system 10/16/17 Vendor scanned our system and applied critical security updates 1/8/18 Subsequent updates released and installed on 4/5/18, 5/21/18, and 8/15/18 Contacted vendor to report we were having intermittent issues with our online payments system being down and they accessed our system to research on 9/21/18. Contacted vendor as follow up to this issue and requested them to access our system once again to identify the problem on 9/26. Follow up call to notify vendor the site was down once again, the vendor connected to our system at 11:24 AM on 9/27/18. We were notified by the vendor at 1:30PM that our system had been breached and it was immediately taken down to prevent further access. Migrated to new server configuration and online payments system was made available to the public by 2:00PM 9/28/18 The infected system was reviewed by a vendor, specializing in forensic analysis, and their preliminary findings indicate that the Click2Gov pages used to accept credit card information had been breached. The breach only affected users of the online Click2Gov system who made payments for utility bills, parking tickets, business licenses, building permits, or civil citations by credit card between Aug 11, 2018 and Sept 25, 2018. Any payments made in person, via the phone system, via E-Check or to any other city systems were not impacted. The City of St. Petersburg takes protection of our data systems very seriously and constantly patches all our systems so that risks to our customer data can be minimized. The Click2Gov system had security patches applied to it in January, April, May and August of this year. In addition, the city also performs internal and external testing to ensure that the systems are not prone to any known vulnerabilities. If you think you have been affected As a first step, we recommend that you closely monitor your financial accounts and if you see any unauthorized activity, promptly contact your financial institution. We also suggest that you submit a complaint with the Federal Trade Commission by calling 1 (877) 438-8228 (1-877-IDTHEFT) or online at www.ftccomplaintassistant.gov . As a second step, you may want to contact the three U.S. credit reporting agencies (Equifax, Experian, and TransUnion) to obtain a free credit report from each by calling 1 (877) 322-8228 or by logging onto www.annualcreditreport.com . Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit reports periodically can help you spot a problem and address it quickly. If you feel you’ve been a victim of identity theft, you should file a police report with your local law enforcement agency. If you live in St. Petersburg, call St. Petersburg Police at 727-893-7780 to file a report over the phone. You can also do it on line, go to www.police.stpete.org and scroll down and click on the eagle link. We sincerely apologize for the inconvenience this incident has caused you. This notice has not been delayed for the purpose of completing an investigation in this matter, and we will keep you informed of any developments in the investigation that may be of importance to you. Note: This notice was only sent to users who were possibly affected by the breach. Updated October 13, 2018: And here’s yet another city that is first making notifications: City of Indio notification.
Click2Gov Update: ICYMI Here’s The Latest
RBS is doing a great job of tracking the Click2Gov breaches. In their most recent update, they report: It’s been three months since our original post was published and as feared, breaches of the Click2Gov system continue to be reported. Here is what we’ve learned: Attackers are exploiting an unpatched vulnerability in Oracle’s WebLogic. Early on, we speculated whether the problem was with the Click2Gov application itself and whether it impacted the cloud-based version of the system. It has since come to light that only local installations are at risk. Attackers are gaining access to application servers due to a known vulnerability in WebLogic and escalating the attack from there. Few other details about the attack methods have come to light. That said, one intriguing detail has remained consistent – only one-time payments are at risk. Data for customers with auto-pay enabled has not been exposed. That does make us wonder if there is another weakness in play, perhaps associated with the form or page used to enter payment information. Nine more incidents involving Click2Gov installations have come to light. Read more on RBS. And sure enough, there was another update to note: FireEye issued an analysis and report.
Click2Gov Payment System Security Breach
A reader kindly alerted me to the fact that the city of Tyler had reported a breach. When I looked into it, I see that it’s yet one more report on Click2Gov by Superion. This has been a known problem since last year, so why haven’t municipal governments updated and patched? RiskBasedSecurity had a more in-depth look into the problem and the vendor’s response that you can read here. If you live in a community that uses Click2Gov, you might want to inquire whether your community has updated and patched properly. Here is the city of Tyler’s notification: Click2Gov Payment System Security Breach/ Falla en Seguridad del Sistema de Pago Click2Gov by Julie Goodgame – September 10, 2018We have been notified that an unknown third-party was able to gain access to payments made through the Click2Gov online-payment system we use to collect payments for utilities and municipal court fines and fees. The date range of the breach is June 18, 2018, to Aug. 21, 2018. Credit card information for utilities and municipal court customers who made payments in person may have been breached, as well as those who made one-time payments online. The City is in the process of identifying and contacting individual customers who may be affected by the breach. Payments made with a credit card through the 24-hour kiosk or over the phone through the IVR payment system were not affected. We apologize for and deeply regret any inconvenience or concern this may cause. We are taking all necessary steps to investigate the breach and ensure the most secure online experience possible for our customers. WHAT INFORMATION WAS INVOLVED? Personal information affected by the incident includes payment card information (card number, security code, and expiration date), first and last name, middle initial, address, city, state and zip code. WHAT ARE WE DOING? Upon notification, we immediately shut down our payment connection to Superion, the Click2Gov software provider, and began working with them to determine if our customers’ information was compromised. We then implemented additional security measures designed to prevent a recurrence of such an attack, and to protect your privacy. The online payment system has been secured and is back online. We are working closely with law enforcement to ensure the incident is properly addressed. WHAT SHOULD CUSTOMERS DO? In addition to the steps already taken by us, customers can take the following additional precautionary steps to further protect themselves: 1. Review any credit card statements closely and report any unauthorized charges, no matter how small, to the card issuer immediately. The phone number to call is usually on the back of the payment card. 2. Ask your credit card issuer/bank to deactivate your card and issue a new card. 3. Request a fraud alert to be placed on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. You may call any of the three major credit bureaus listed in this communication. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. The initial fraud alert stays on your credit report for 90 days. You can renew it after 90 days. 4. File a report refer them to IdentityTheft.gov or IC3.gov. These are federal reporting sights for computer/on-line crimes. IdentityTheft.gov will provide you with a case number. 5. Request that all three credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission recommends that you check your credit reports periodically. Thieves may hold stolen information to use at various times. Check your credit reports periodically to help spot problems and address them quickly. • Equifax: Equifax.com or 1-800-525-6285 • Experian: Experian.com or 1-888-397-3742 • TransUnion: Transunion.com or 1-800-680-7289 Again, we apologize for any inconvenience or concern this may cause. We are taking all necessary steps to investigate the breach and ensure the most secure online experience possible for our customers. ADDITIONAL INFORMATION Any vulnerability regarding credit card information would not have increased the amount of a monthly bill. We encourage customers to contact us with any concerns at (903-531-1119) or ([email protected]).
8 U.S. City Websites Targeted in Magecart Attacks
Lindsey O’Donnell reports: Researchers believe that Click2Gov, municipal payment software, may be at the heart of this most recent government security incident Researchers are warning that the websites of eight U.S. cities – across three states – have been compromised with payment card-stealing Magecart skimmers. The websites all utilize Click2Gov municipality payment software, which was previously involved in data breaches. Read more on ThreatPost. You’ll find a lot of coverage on Click2Gov’s breaches linked from here.
NV: Hackers compromise financial information for Carson City residents who pay water bill online
Did you think we were done with reports of Click2Gov clients discovering they had been hacked? Guess again…. Kelsey Penrose reports: According to a letter sent out to a group of residents who pay their water bill online in Carson City, their financial information was compromised due to a data breach, according to City Manager Nancy Paulson.. Read more on CarsonNow. Those at risk are residents who made a one-time payment through the portal between August 1, 2019 and September 12, 2019. The problem was discovered in September. Details about the discovery and what kinds of PII are at risk as a result of the incident can be found on the city’s site, here.