Another day, another Click2Gov client reporting a breach. This time it’s Waco, Texas. Update: Gemini Advisory reports that 2500 cards were involved.
Kaley Johnson reports more trouble for Click2Gov software by CentralSquare Technologies: About 3,000 customers of the Fort Worth Water Department may have had had their information stolen due to a data breach, a department spokeswoman said. Those impacted would have made a one-time payment for Fort Worth water with a credit card between Aug. 27 and Oct. 23, spokeswoman Mary Gugliuzza said. Read more on Fort Worth Star-Telegram.
On February 25, Pasquotank-Camden Emergency Medical Service in North Carolina reported a breach to HHS that affected 20,420 patients. A notification sent to the Vermont Attorney General’s Office explained that sometime in late December, 2018, the county became aware of an unauthorized intrusion from outside of the U.S. Investigation revealed that the intruder was able to access files with protected health information, but they found no evidence that data was exfiltrated or misused. The county notified all those potentially impacted and offered them 12 months of credit monitoring and credit restoration services, should they be needed. A few days later, however, Jon Hawley of the Daily Advance reported on the incident, but reported that it was 40,000 patients affected as per the county’s most recent statement that week. Hawley also provided additional details, including the facts that the hack had occurred on December 14, that the hacker had erased files, and there had been no ransom demand. Of special note: Hammett said the hacker exploited a vulnerability in the county’s billing software, provided by the company TriTech, and tricked it into considering the hacker a normal user. That allowed the hacker to access records as far back as 2005, though most dated back to 2010, Hammett said. Some of the text files the hacker viewed were thousands of pages long, Hammett said, making it a long process to review what information had been compromised, who should be notified, and how. “Russy,” a regular reader of and contributor to this site, notes that in 2018, TriTech merged with Superion to form CentralSquare. Superion/CentralSquare is the company behind Click2Gov, the billing software many municipalities use. But unless I’m misuinderstanding something, this does not appear to be the same vulnerability involved in Click2Gov breach reports, as Hawley cites the county manager Sparty Hammett as telling him that TriTech “was not aware of the vulnerability, and has closed it. ” Hammett also informed the paper that the county may move EMS data to TriTech’s cloud, rather than store it locally, or switch to another software entirely. EMS Director Jerry Newell said the data breach did not hinder ambulance response, and the agency was able to quickly restore the lost data. It sounds like the county had learned important lessons from a previous and severe attack in May, and was now better prepared in a number of ways. Read more on The Daily Advance.
Bruno reports: The hackers of the city parking fine system in Saint John, Canada have been selling sensitive data on the dark web for over a year. The security breach in the system was not spotted for 15 months after the initial attack, which ultimately allowed the hackers to gain personal information and credit card numbers of 6,000 Canadian residents. Read more on DarkWebNews. The report left me confused– not because the reporting was confusing, but because Saint John didn’t seem to have known about the breach when it seems that they likely should have known about it. DataBreaches.net reached out to Gemini Advisory, who had issued a report on the Click2Gov breach in December. They provided the following statement, which includes a very troubling allegation: We identified various affected cities in our initial findings related to the Click2Gov Breach, and we sent all of this information to CentralSquare Technologies (CST) on November 28, before we published any information about this breach online. It appeared that from all of the information we provided, CST only reached out to and notified the city of Topeka, Kansas. After a few email exchanges and halted responses from CST, we pushed out our full blog, which covered the breach and all of the affected cities. Our blog was picked up by various news outlets, including ITworld. A week or so afterward, the city of Saint John reached out to us directly. While the city initially communicated that it was not aware of any breach of its Click2Gov portal, after Gemini turned over all of its findings to the city, Saint John pushed a breach notification message to its residents. We have also reached out directly to Hanover County to notify it that it is a victim of the Click2Gov breach since the county’s compromised payment card information was posted for sale several weeks after our publication. Shortly after receiving our information and after conducting an internal analysis, Hanover Country sent out a breach notification to its residents. At this time, Gemini Advisory has turned over all of its findings to US Federal Law Enforcement for further analysis and for further victim notification. DataBreaches.net reached out to CentralSquare Technologies to ask them to respond to the allegation that they had not notified the entities Gemini Advisory had found to be compromised. They sent the following statement in response: Throughout last year and this year, we took proactive steps to keep all of our customers informed while working with them to keep their local on-premise systems updated and protected. It is important to note that these security issues have taken place only in on-premise environments in certain towns and cities that choose to host their own systems locally. No customer in the CentralSquare Cloud has faced these issues, even when they are using the same software. We continually work with each customer to help identify risk, while working with them to apply the latest patches and updates available for these systems, including patches for the third-party software that contributed to the issue. For security and confidentiality reasons, we cannot disclose any information about our customers, their environments or their security. So is that an actual denial of Gemini’s claim that only one entity was notified by CST? If Gemini notified CST on November 28, how is it that Saint John wasn’t notified and had to find out from a media report? Note that it was not just Gemini that attempted to notify CST. A spokesperson for FireEye tells DataBreaches.net: Superion, now Central Square Technologies, was provided an advanced copy of the FireEye blog ‘Click It Up: Targeting Local Government Payment Portals‘, published on September 19, 2018. Representatives of the company did not comment on the blog prior to publication. In a follow-up response, the spokesperson clarified that Superion never responded directly at all to the advanced copy of the blog, although FireEye did get a read receipt. Should the FTC and/or state attorneys general be investigating this widespread incident? I would hope that some regulator is at least looking into it, especially if we are being told that no less than two firms tried to give them the heads up and valuable information that might have protected municipalities. As always, coverage will be updated as more information becomes available.
WPTV reports: Customers of the City of Lake Worth Utilities who utilized the online credit card payment option to pay their bill may have experienced a possible breach of their credit card information. Lake Worth Utilities is encouraging all customers to check their statements for any fraudulent transactions that occurred between August 28 and October 9, 2018. The City of Lake Worth Utility Billing does not manage online credit card payments. They utilize an external vendor who is currently investigating the issue. Read more on WPTV. Update of October 16: When this was first posted, the incident sounded like another Click2Gov breach. Another news source, subsequently confirmed that by naming Central Square Technologies as the vendor.
Nikki Henderson reports: Some Bossier City water customers may have had their information compromised due to a possible breach of an online billing payment system. The City of Bossier maintains a system that allows customers to pay their water bills online using a credit/debit card. In the past few business days, a number of water customers have alerted the Bossier City to unauthorized charges on cards they used to pay their water bills. These reports raised a concern that the online payment system may have been breached. Read more on ArkLATex. Is this more of the Click2Gov breach? If so, why is the city first dealing with it now?
Kimberly Kolliner reports: It’s estimated 1,842 Medford residents may have been impacted by a City of Medford data breach. The city’s online utility billing service that was infected with malware. The security breaches happened between February 18th through March 14th and March 29th through April 16th. June 5th is when forensic investigators determined the breach had occurred. Prior to that there was no detection because the breach – known as a zero-day compromise – used malware that has never been seen before. Read more on KTVL. I wonder if this is another Click2Gov case. Sounds like it could be.
More impact of the Click2Gov breach reported previously on this site. ABC Fox reports: The city says some customers that used its Click2Gov utility payment system in 2017 may have had their credit information stolen. A press release from the city says customers who used Click2Gov to make utility payments between July 1, 2017 and Oct. 24, 2017 are at risk. They say the security breach came to their attention when some utility customers reported seeing fraudulent activity on the same cards they’d used to pay their bills. The city says they started a lengthy investigation, and it took two cybersecurity firms to find evidence of a security breach. Read more on ABC Fox.
Midwest City, Oklahoma reports that about 2,300 customers were potentially affected by a breach involving software needed to use Click2Gov. As Dark Reading recently explained: Risk Based Security’s Inga Goddijn noticed a pattern of Click2Gov, a product of Superion Software, appearing in breach notification letters. The notifications came from cities across the United States, which reported both data breaches and the installation of cryptocurrency miners. Oxnard, Calif. was most recently breached; its incident occurred on May 25. Further investigation by Superion showed the attackers didn’t break in through Click2Gov but through third-party software needed to use it: Oracle’s WebLogic application server.
Scott Sutton reports: Wellington officials said Thursday they were recently notified about potential unauthorized charges on credit cards used by customers to pay their utility bills. In a written statement, the village said on Wednesday they received a call from their vendor, Superion, notifying them of vulnerabilities in their software related to Click2Gov online payments for utility bills. Credit card information may have been taken during the transactions. Read more on WPTV. This is not the first report like this. On May 31, this site noted a report that Oxnard residents were also apparently affected. Can other cities be far behind?