More than a dozen small and midsize cities around the United States have suffered data breaches linked to an online bill payment application. Medford, Oregon , this week became the latest community to report that its residents’ personal information may have been compromised due to a vulnerability in the program called Click2Gov.
Medford, a city of nearly 82,000 about 30 miles north of the Oregon-California border, announced Monday that in June, it had shut down the online payment server running Click2Gov that it uses to process utility bills, permit applications and business licenses after discovering a data breach.
The Medford breach affected as many 1,842 people who used Click2Gov between February 18 and March 14, and again between March 29 and April 16, the city said. Those individuals’ names, credit card numbers, card expiration dates and security codes were potentially exposed, though Social Security numbers and other federal and state identification numbers were not. As many as 30,000 people citywide use the online payment system, Medford officials said.
But Medford is just one of more than a dozen jurisdictions that have experienced data breaches connected to Click2Gov since last August. Bozeman, Montana , reported last week it experienced a breach during a four-month period in late 2017 that potentially affected 3,000 residents. Wellington, Florida , notified more than 6,100 residents in early July that their information might’ve been compromised. Midwest City, Oklahoma , learned in June that nearly 4,600 of its residents’ were affected.
Researchers say that as many as 6,000 installations of the software can be linked to governments around the country that are still likely vulnerable to cyberattacks.
Risk Based Security, a consulting firm in Richmond, Virginia, saw the number of cities using Click2Gov experiencing data breaches, and noticed a familiar script.
“A local city or town discovers their online utility payment portal has been attacked,” Inga Goddijn, the company’s executive vice president, wrote in a June 14 blog post . “The service goes dark while the city investigates — along with their trusty vendor that may or may not run the portal — only to learn that payment card details used to pay utility bills online have been compromised.”
Goddijn also wrote that none of the individual breaches were particularly remarkable until she noticed they all shared the same vendor.
Superion, the Florida software company that publishes Click2Gov, told StateScoop some of its clients started noticing suspicious activity last year, and that it “took proactive steps” to notify customers starting in September. The company also said it hired a forensic investigator to determine the source of the data breaches.
The company also said that the breaches are only occurring in the local governments that host their own networks. “Not a single client in Superion’s data centers or in the Superion Cloud has faced these issues, even when they are using the same software product,” Superion spokeswoman Carol Matthieu said.
But possibly exposing residents’ personal information is not the only headache Click2Gov customers have experienced. After discovering a breach on June 6, Wellington’s chief information officer, William Silliman, told the village’s leaders the incident actually began as an attempt by hackers to surreptitiously install cryptocurrency-mining software on municipal computers, a tactic called cryptojacking that has grown in popularity among hackers in recent months. The mining operation morphed into an effort to steal credit card numbers, and ultimately Wellington concluded that payments for water bills between July 2017 and February 2018 may have been compromised.
Other cities that have reported data breaches related to Click2Gov include Goodyear, Arizona; Thousand Oaks, California; Fond du Lac, Wisconsin; and Beaumont, Texas. In every case, the incidents led to those communities shutting down their utility payment websites and notifying hundreds or thousands of residents that their credit-card information might have been nabbed.
Superion has also attributed the source of the data breaches to vulnerabilities in a third-party vendor, which Axios reported last month as Oracle’s WebLogic application server. WebLogic has been at the center of waves of cyberattacks designed to co-opt computers into mining cryptocurrencies. In one incident reported in January, a hacker last year installed a cryptocurrency mining application on vulnerable systems running WebLogic and netted $226,000 in a cryptocurrency called Monero.
Matthieu said Superion has helped its customers apply patches to fix the third-party vulnerability. She added that the company has “no evidence showing that it is unsafe to make payments utilizing Click2Go on hosted or secure on-premise networks” that have been patched.
But she also said Superion could not make the same assurances for Click2Gov customers that continue to host the software on their own networks.
In her blog post, Risk Based Security’s Goddijn wrote that Superion’s response to these incidents has been lacking, especially in the case of Oxnard, California , which first learned it had a data breach on May 25, nearly a year after Click2Gov customers started noticing problems. Superion gave Oxnard software patches after the breach was first detected, but told the city more work was needed four days later, at which point Oxnard shut down its utility-payment website.
“Multiple clients are breached over the course of a year and still it takes two tries to get a fix in place?” Goddijn wrote. “And is the problem really corrected if they cannot confirm or verify the exact method of compromise?”
She said that Superion’s response to Oxnard was similar to what it had offered to Fond du Lac, Wisconsin, seven months earlier.
Matthieu said Superion is continuing to help its customers patch their systems, but it’s unclear how many more cities will run into problems with the company’s software. Goddijn wrote that Risk Based Security’s investigation concluded that multiple releases of Click2Gov have been installed anywhere between 600 and 6,000 times, suggesting that more breaches are inevitable. Superion declined to share information about its customers.
“Unfortunately, given what we have seen so far, we anticipate seeing more breach reports coming to light thanks to the Click2Gov system,” she wrote. “Superion and their clients are clearly struggling to wrap their hands around the problem and lock it down once and for all.”