VA: Notice of Click2Gov-related Data Breach of Hanover County Online Payment System
From the county’s notice, which you can find in its entirety here:
Hanover County was recently notified about potential unauthorized charges on credit cards used by customers to pay their utility bills via the website between August 1, 2018 and January 9, 2019. The County takes the security and protection of its customers’ confidential information seriously.
On January 9, 2019, Gemini Advisory, a group that monitors internet websites for exposed credit card information, notified County staff that credit card information used to make online payments through Hanover’s Central Square Click2Gov system had been compromised. A vulnerability that the County was unaware of allowed this credit card information to be taken during transactions by unauthorized individuals.
The County immediately validated the claim and isolated the Click2Gov system from public access to try to find what information had been compromised and whether the County’s system was still vulnerable. The County has been working with MS-ISAC and CERT, outside agencies that deal with information breaches, to complete a full forensic analysis of what occurred. The County is also working with the software company and has built a new Click2Gov server using different software than the program that was involved in the original breach.
Working with information received from Gemini Advisory we have been able to confirm the exposure of credit card information used to make online payments with the Click2Gov system.
What Information Was Involved
The County has reason to believe that all credit card information entered into the Click2Gov system for utility and building inspection payments between approximately August 1, 2018 and January 9, 2019 may be at risk. This information includes customer names, credit card number, and expiration dates. Payments made over the phone and automatic withdrawals were notaffected; only payments made online through the Click2Gov portal were compromised.