[BreachExchange] A year later, cities using Click2Gov are still getting hacked

[Destry Winant]

https://statescoop.com/a-year-later-cities-using-click2gov-are-still-getting-hacked

More than a dozen small and midsize cities around the United States
have suffered data breaches linked to an online bill payment
application. Medford, Oregon, this week became the latest community to
report that its residents’ personal information may have been
compromised due to a vulnerability in the program called Click2Gov.

Medford, a city of nearly 82,000 about 30 miles north of the
Oregon-California border, announced Monday that in June, it had shut
down the online payment server running Click2Gov that it uses to
process utility bills, permit applications and business licenses after
discovering a data breach.

The Medford breach affected as many 1,842 people who used Click2Gov
between February 18 and March 14, and again between March 29 and April
16, the city said. Those individuals’ names, credit card numbers, card
expiration dates and security codes were potentially exposed, though
Social Security numbers and other federal and state identification
numbers were not. As many as 30,000 people citywide use the online
payment system, Medford officials said.

But Medford is just one of more than a dozen jurisdictions that have
experienced data breaches connected to Click2Gov since last August.
Bozeman, Montana, reported last week it experienced a breach during a
four-month period in late 2017 that potentially affected 3,000
residents. Wellington, Florida, notified more than 6,100 residents in
early July that their information might’ve been compromised. Midwest
City, Oklahoma, learned in June that nearly 4,600 of its residents’
were affected.

Researchers say that as many as 6,000 installations of the software
can be linked to governments around the country that are still likely
vulnerable to cyberattacks.

Risk Based Security, a consulting firm in Richmond, Virginia, saw the
number of cities using Click2Gov experiencing data breaches, and
noticed a familiar script.

“A local city or town discovers their online utility payment portal
has been attacked,” Inga Goddijn, the company’s executive vice
president, wrote in a June 14 blog post. “The service goes dark while
the city investigates — along with their trusty vendor that may or may
not run the portal — only to learn that payment card details used to
pay utility bills online have been compromised.”

Goddijn also wrote that none of the individual breaches were
particularly remarkable until she noticed they all shared the same
vendor.

Superion, the Florida software company that publishes Click2Gov, told
StateScoop some of its clients started noticing suspicious activity
last year, and that it “took proactive steps” to notify customers
starting in September. The company also said it hired a forensic
investigator to determine the source of the data breaches.

The company also said that the breaches are only occurring in the
local governments that host their own networks. “Not a single client
in Superion’s data centers or in the Superion Cloud has faced these
issues, even when they are using the same software product,” Superion
spokeswoman Carol Matthieu said.

But possibly exposing residents' personal information is not the only
headache Click2Gov customers have experienced. After discovering a
breach on June 6, Wellington’s chief information officer, William
Silliman, told the village’s leaders the incident actually began as an
attempt by hackers to surreptitiously install cryptocurrency-mining
software on municipal computers, a tactic called cryptojacking that
has grown in popularity among hackers in recent months. The mining
operation morphed into an effort to steal credit card numbers, and
ultimately Wellington concluded that payments for water bills between
July 2017 and February 2018 may have been compromised.

Other cities that have reported data breaches related to Click2Gov
include Goodyear, Arizona; Thousand Oaks, California; Fond du Lac,
Wisconsin; and Beaumont, Texas. In every case, the incidents led to
those communities shutting down their utility payment websites and
notifying hundreds or thousands of residents that their credit-card
information might have been nabbed.

Superion has also attributed the source of the data breaches to
vulnerabilities in a third-party vendor, which Axios reported last
month as Oracle’s WebLogic application server. WebLogic has been at
the center of waves of cyberattacks designed to co-opt computers into
mining cryptocurrencies. In one incident reported in January, a hacker
last year installed a cryptocurrency mining application on vulnerable
systems running WebLogic and netted $226,000 in a cryptocurrency
called Monero.

Matthieu said Superion has helped its customers apply patches to fix
the third-party vulnerability. She added that the company has “no
evidence showing that it is unsafe to make payments utilizing Click2Go
on hosted or secure on-premise networks” that have been patched.

But she also said Superion could not make the same assurances for
Click2Gov customers that continue to host the software on their own
networks.

In her blog post, Risk Based Security’s Goddijn wrote that Superion’s
response to these incidents has been lacking, especially in the case
of Oxnard, California, which first learned it had a data breach on May
25, nearly a year after Click2Gov customers started noticing problems.
Superion gave Oxnard software patches after the breach was first
detected, but told the city more work was needed four days later, at
which point Oxnard shut down its utility-payment website.

“Multiple clients are breached over the course of a year and still it
takes two tries to get a fix in place?” Goddijn wrote. “And is the
problem really corrected if they cannot confirm or verify the exact
method of compromise?”

She said that Superion’s response to Oxnard was similar to what it had
offered to Fond du Lac, Wisconsin, seven months earlier.

Matthieu said Superion is continuing to help its customers patch their
systems, but it’s unclear how many more cities will run into problems
with the company’s software. Goddijn wrote that Risk Based Security’s
investigation concluded that multiple releases of Click2Gov have been
installed anywhere between 600 and 6,000 times, suggesting that more
breaches are inevitable. Superion declined to share information about
its customers.

“Unfortunately, given what we have seen so far, we anticipate seeing
more breach reports coming to light thanks to the Click2Gov system,”
she wrote. “Superion and their clients are clearly struggling to wrap
their hands around the problem and lock it down once and for all.”