Malware Attacks Popular Third-Party Municipal Payment System Compromising Residents Data

2019, Breaches, February

Who: CentralSquare Technologies, manufacturer of the click2gov bill-pay management system in 46 North American Municipalities

# of Records Affected: 294,929

When it happened: December 20, 2018

What happened: Click2Gov, a software application popular among municipalities for processing online payments of utility bills and fees, has been compromised in 46 U.S. cities and one Canadian location. Hackers were able to install malware that was used to disrupt the municipal server allowed the hackers to acquire personal information and credit card numbers of people who paid their parking fines using their phone, credit card or in person.

How it happened: The security breach in the system was not spotted for 15 months after the initial attack and the service provider were stunned to find out the system had been infected for 18 months. The hackers had gained access to card numbers, names of the cardholders, card verification numbers, addresses as well as card expiration dates.

Outcome: As soon as the city’s IT department found out about the hacking, the system immediately was shut down to prevent any further damage. However, data belonging to many card users were sold on the dark web for 15 months, disabling the authorities to remedy the situation. The illegal trade of delicate information happened on dark web markets, where the stolen data was sold to strangers for $10. The reasons and the people behind the attack are still unknown. The city currently works on providing the citizens with a substitute for the service, and the initial parking fine system remains offline to this day. The patching apparently has not been fully successful despite broad patch deployment the system remains vulnerable for an unknown reason. Part of the problem is that some municipalities have failed to install the patches, according to one media report. Compromises are still popping up. Since early October, Saint Petersburg, Fla., Bakersfield, Calif., and Ames, Iowa have all reported online utility payment breaches. All three reports claimed that the point of compromise was the Click2Gov software.