St. Petersburg timeline on Click2Gov raises questions as to whether the vendor was proactive or not
I have commented on the Click2Gov breach a few times — mostly wondering aloud why so many customers do not seem to have been made aware that they needed to update immediately, etc. Both RBS and FireEye have both discussed the Click2Gov incident in more depth.
But now look at this disclosure from St. Petersburg, which I am reproducing in full below. The timeline raises a lot of questions, I think.
We have learned of a data security incident that occurred between August 11, 2018 and September 25, 2018 that involved some of our customers’ credit card information.
The City of St. Petersburg utilizes a third-party software product called Click2Gov to provide our customers with the ability to pay utility bills, parking tickets, business licenses, building permits, and civil citations online via the Internet.
On Thursday, Sept 27, 2018 the Click2Gov vendor informed the city that they had found malicious software on the server. Our payment site was immediately shut down to prevent access. The city preserved the existing system for forensic analysis and immediately worked with our vendor to build a new system. By 1:30 pm on Friday, Sept 28, 2018 the city had a new system configured and was back in a fully operational mode.
Timeline of events
- Contacted the vendor regarding Ormond Beach press release “Online Utility Billing Payment System Potential Breach 10/13/17
- Requested vendor to review our system 10/16/17
- Vendor scanned our system and applied critical security updates 1/8/18
- Subsequent updates released and installed on 4/5/18, 5/21/18, and 8/15/18
- Contacted vendor to report we were having intermittent issues with our online payments system being down and they accessed our system to research on 9/21/18.
- Contacted vendor as follow up to this issue and requested them to access our system once again to identify the problem on 9/26.
- Follow up call to notify vendor the site was down once again, the vendor connected to our system at 11:24 AM on 9/27/18.
- We were notified by the vendor at 1:30PM that our system had been breached and it was immediately taken down to prevent further access.
- Migrated to new server configuration and online payments system was made available to the public by 2:00PM 9/28/18
The infected system was reviewed by a vendor, specializing in forensic analysis, and their preliminary findings indicate that the Click2Gov pages used to accept credit card information had been breached. The breach only affected users of the online Click2Gov system who made payments for utility bills, parking tickets, business licenses, building permits, or civil citations by credit card between Aug 11, 2018 and Sept 25, 2018. Any payments made in person, via the phone system, via E-Check or to any other city systems were not impacted.
The City of St. Petersburg takes protection of our data systems very seriously and constantly patches all our systems so that risks to our customer data can be minimized. The Click2Gov system had security patches applied to it in January, April, May and August of this year. In addition, the city also performs internal and external testing to ensure that the systems are not prone to any known vulnerabilities.
If you think you have been affected
- As a first step, we recommend that you closely monitor your financial accounts and if you see any unauthorized activity, promptly contact your financial institution. We also suggest that you submit a complaint with the Federal Trade Commission by calling 1 (877) 438-8228 (1-877-IDTHEFT) or online at www.ftccomplaintassistant.gov .
- As a second step, you may want to contact the three U.S. credit reporting agencies (Equifax, Experian, and TransUnion) to obtain a free credit report from each by calling 1 (877) 322-8228 or by logging onto www.annualcreditreport.com .
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit reports periodically can help you spot a problem and address it quickly.
If you feel you’ve been a victim of identity theft, you should file a police report with your local law enforcement agency. If you live in St. Petersburg, call St. Petersburg Police at 727-893-7780 to file a report over the phone. You can also do it on line, go to www.police.stpete.org and scroll down and click on the eagle link.
We sincerely apologize for the inconvenience this incident has caused you. This notice has not been delayed for the purpose of completing an investigation in this matter, and we will keep you informed of any developments in the investigation that may be of importance to you.
Note: This notice was only sent to users who were possibly affected by the breach.
Updated October 13, 2018: And here’s yet another city that is first making notifications:
City of Indio notification.