[BreachExchange] Data breach may have compromised 28K people using St. Petersburg city website

Destry Winant destry at riskbasedsecurity.com
Tue Oct 2 19:39:55 EDT 2018


ST. PETERSBURG, Fla. -- At least 28,000 people may have had their
credit card information stolen during a month-long breach of the
city's website.

The city uses a third-party software product, called Click2Gov, to
process payments for several city services, including utility bills,
parking tickets, building licenses and more. Between Aug. 11 and Sept.
25, malicious software was on the payment server, making it
susceptible to unauthorized access.

Payments made in person, by phone, via E-Check or through any other
city systems were not affected.

In a letter to customers, St. Petersburg officials say the Click2Gov
vendor told the city of the issue on Sept. 27. The system was shut
down, rebuilt, secured and back online by 1:30 p.m. the next day.

"[The 28,000 people] are the ones who are at risk," City Spokesman
Benjamin Kirby said. "It doesn't mean every single person has had
their card hacked."

The city has not heard of any of its residents having an issue with
their accounts so far, Kirby added.

Several security updates were applied to the Click2Gov software this
year, however, none of them closed the apparent breach.

"The City is currently investigating why these steps did not prevent
the installation of the malicious software that led to the breach of
the credit card processing functionality on Click2Gov," the letter to
residents reads.

People are advised to keep a close watch on their accounts for any
suspicious activity and check with each of the credit reporting
agencies, including Equifax, Experian and TransUnion, for their latest
reports. Annualcreditreport.com is a free service that provides each
credit report each year.

If there is a suspected case of identity theft, file a police report
with local law enforcement. In St. Petersburg, residents are asked to
call police at 727-893-7780 or file a report online.

More information about the BreachExchange mailing list