[BreachExchange] Another Click2Gov data breach hits Indio, California

Destry Winant destry at riskbasedsecurity.com
Tue Oct 16 00:13:34 EDT 2018


Residents of Indio, California, who pay their water bills online
became the latest group of people whose personal identifying
information was potentially exposed thanks to a vulnerability in
Click2Gov, an municipal bill-payment program that has been connected
to more than a dozen data breaches in small and midsize cities across
the country since July 2017.

The Indio Water Authority, serving a city of 90,000 about 150 miles
east of Los Angeles known as home of the annual Coachella music
festival, announced Friday that it recently learned that its
customers' credit card numbers might have been exposed by its
installation of the Click2Gov software. City officials said an
investigation conducted after they were alerted to the possible breach
found that it could have affected customers who made payments between
January 2017 and Aug. 13.

The breach potentially included customers' names and credit card
numbers. Other types of personal identifying information, such as
Social Security numbers and driver's licenses, were not exposed. Brian
Macy, the water authority's general manager, told StateScoop in an
email that there is no evidence any of the credit cards swept up in
the breach have been used for illicit purposes. Macy also said the
utility has notified impacted customers, but did not disclose how many
people had their information exposed.

Still, the incident made Indio the latest in a string of
municipalities to suffer cybersecurity failures related to Click2Gov,
which local governments use to process utility payments, permit
applications, business licenses and other transactions online.
Medford, Oregon — population 82,000 — announced in July that more than
1,800 of its residents who had used its Click2Gov installation had had
their credit card information exposed. Other similarly sized
communities, such as Bozeman, Montana; Wellington, Florida; and
Midwest City, Oklahoma, also blamed Click2Gov for exposing their
residents' personal information around that time.

Superion, the software firm that publishes Click2Gov, has attributed
past breaches to a vulnerability in Oracle's WebLogic application
server, and said that it offers updates to patch the third-party flaw.
A spokeswoman for the company told StateScoop in July that cities
where Click2Gov breaches occurred were using hosting the program on
their own in-house networks, rather than Securion's proprietary

Macy told StateScoop the Indio Water Authority has stopped using
Click2Gov to process payments.

More information about the BreachExchange mailing list