Over 2017 and 2018, dozens of small and midsize cities across the United States had to tell their residents that their personal data had potentially been included in data breaches linked to Click2Gov, a popular platform that many local governments use to process online payments for things like utilities, parking tickets and other fees that cities collect.
Cities that were breached scrambled to shut down their online payments systems and mitigate the situation, while hundreds or thousands of residents received notices that their names and credit card information had been exposed to potentially malign actors. Click2Gov’s publisher, then known as Superion, said in July 2018 the breaches could be attributed to vulnerabilities in Oracle’s WebLogic application server, which the breached cities had used to run Click2Gov.
Local governments using Click2Gov — a number that was estimated to be as high as 6,000 — installed security patches, and the rash of breaches appeared to have subsided. But last August, the exposures started up again, with another group of cities, including several that had been targeted in the first wave, like Ames, Iowa, and Bakersfield, California, reported their residents’ information being compromised. Once again, cities that have tried to make citizen services more convenient by putting them online find themselves scrambling to reassure their residents, hand out free credit-monitoring services and look for a more secure software solution.
‘We rallied all our resources’
This time, researchers say, the fix might not be as simple as patching an application server.
“I think there may be issues with an Oracle product, but I don’t think that’s the sole cause,” said Inga Goddijn, the executive vice president of Risk Based Security, a cybersecurity consulting firm that studied the previous run of Click2Gov breaches.
One detail the recent breaches have in common is that they appear to affect customers who make one-time payments, but not people who enroll in automatic monthly billing. That was the case in Bend, Oregon, where last month 5,000 utility customers received notices in the mail that their personal information had been included in a Click2Gov data breach, said Stephanie Betteridge, chief innovation officer for the city 98,000 residents.
Betteridge said it took some time for Click2Gov’s publisher — now called CentralSquare, following a late 2018 merger between Superior and two other firms — to confirm the nature of the Bend breach. Betteridge said her office was aware of previous incidents involving Click2Gov, but was only initially notified by CentralSquare about a data security incident in Bend on Dec. 16. Details were sparse, though.
“There was no confirmation on the scope or nature of it,” she said. “So we rallied all our resources, and at that point, we started our own investigation to really try and determine the nature and scope so we could take our own action.”
Betteridge said that Bend officials, with the help of cybersecurity firm Sylint, were able to determine that a threat actor was inserting malicious code into the a one-time payment form running on Click2Gov. She said CentralSquare didn’t confirm the information until Dec. 30; the following week, the city notified its residents and started sending out notices to affected customers.
The response to a breakdown in digital government is an exercise in retail public service: Bend City Hall has pumped out press releases, Betteridge and other officials have given numerous interviews, and the city’s even set up a call center for residents worried about the exposure of their personal information. She said only 87 people have called so far, though 327 have taken up the city’s offer of a free year of credit monitoring.
‘Insecure software costs more’
Bend is moving on from Click2Gov to a new online payments system called InvoiceCloud, which Betteridge said she selected for its security features.
“They were the only product that could adhere to the [Payment Card Industry] Data Security Standard,” she said, referring to a security framework issued by a coalition of major credit-card firms. “They really had the most robust security. And to us that was critical.”
While Betteridge said the transition was already planned, the experience of going through a data breach prompted her office to speed up the timeline. The first features of Bend’s new InvoiceCloud platform will go live in the next three to four months, she said, though new utility billing system won’t be ready for another nine months.
Bend’s not the only city fleeing Click2Gov. Officials in College Station, Texas, terminated their contract with CentralSquare after learning last November that 11,000 utility customers had had their data exposed. College Station has since signed on with another competitor, Paymentus, in a contract that will be more expensive than what it was paying CentralSquare.
But those investments are necessary, said Goddijn.
“At the end of the day, insecure software costs more,” she said. “If you have a bad breach, that kicks off not just the immediate remediation, but now you have time and resources going into moving into a new system. There’s no getting around it these days. Clearly attackers are making money off of exploiting weak software.”
While the actors behind the most recent wave of Click2Gov attacks haven’t been identified, the last round was indeed lucrative. According to threat intelligence firm Gemini Advisory, data collected in the 2017 and 2018 Click2Gov breaches fetched $1.9 million on the dark web.
CentralSquare did not respond to requests for an interview about the most recent spate of data breaches. But to Betteridge, the Bend CIO, the incident was a test to maintain the confidence of her city’s residents.
“I think any time your customers are impacted, you want to be able to respond to them as quickly as possible,” she said. “Public trust is critical to us. And we want to do everything to protect our customers.”
Correction: The cybersecurity firm that worked with the city of Bend and CentralSquare to investigate the data breach is Sylint, not Cylance, as initially reported.
This is part of StateScoop and EdScoop’s special report on user experience. Read the rest of the report.