Residents of Indio, California, who pay their water bills online became the latest group of people whose personal identifying information was potentially exposed thanks to a vulnerability in Click2Gov, an municipal bill-payment program that has been connected to more than a dozen data breaches in small and midsize cities across the country since July 2017.
The Indio Water Authority, serving a city of 90,000 about 150 miles east of Los Angeles known as home of the annual Coachella music festival, announced Friday that it recently learned that its customers’ credit card numbers might have been exposed by its installation of the Click2Gov software. City officials said an investigation conducted after they were alerted to the possible breach found that it could have affected customers who made payments between January 2017 and Aug. 13.
The breach potentially included customers’ names and credit card numbers. Other types of personal identifying information, such as Social Security numbers and driver’s licenses, were not exposed. Brian Macy, the water authority’s general manager, told StateScoop in an email that there is no evidence any of the credit cards swept up in the breach have been used for illicit purposes. Macy also said the utility has notified impacted customers, but did not disclose how many people had their information exposed.
Still, the incident made Indio the latest in a string of municipalities to suffer cybersecurity failures related to Click2Gov, which local governments use to process utility payments, permit applications, business licenses and other transactions online. Medford, Oregon — population 82,000 — announced in July that more than 1,800 of its residents who had used its Click2Gov installation had had their credit card information exposed. Other similarly sized communities, such as Bozeman, Montana; Wellington, Florida; and Midwest City, Oklahoma, also blamed Click2Gov for exposing their residents’ personal information around that time.
Superion, the software firm that publishes Click2Gov, has attributed past breaches to a vulnerability in Oracle’s WebLogic application server, and said that it offers updates to patch the third-party flaw. A spokeswoman for the company told StateScoop in July that cities where Click2Gov breaches occurred were using hosting the program on their own in-house networks, rather than Securion’s proprietary servers.
Macy told StateScoop the Indio Water Authority has stopped using Click2Gov to process payments.