[BreachExchange] Security incident affects about 3, 000 Fort Worth water customers

Destry Winant destry at riskbasedsecurity.com
Fri Dec 6 09:46:33 EST 2019


The city of Fort Worth is advising its water customers to pay close
attention to their credit card statements after a security incident
may have compromised residents’ information.

The incident could have affected about 3,000 credit card holders who
made one-time online payments to the city between Aug. 27 and Oct. 23,
according to a city news release. Credit card information that could
have been stolen includes cardholder name, billing address, credit
card number, security code and expiration date.

Customers who set up recurring payments by credit card will not be
impacted unless they logged in and entered a different credit card
number between those dates, according a news release. Customers who
paid by phone or in person also will not be impacted.

“We’re not happy this happened, but we’re trying to do everything we
can to keep this from being a recurring situation,” said Mary
Gugliuzza, media relations director for the water department.

The city was made aware of the incident after receiving a notification
from CentralSquare, Fort Worth’s vendor for Click2Gov software, which
powers the water department’s online payment system.

The vendor determined that an unauthorized person or persons had
inserted code into the software to capture personal payment card
information from customers who logged into the system and made a
credit card payment, according to a news release.

Upon notification, the city worked with CentralSquare to remove the
code and replace the server supporting the Click2Gov system. The
software is being monitored for any code changes.

Other cities who use Click2Gov also had their billing systems
impacted, according to a report from Forbes.

Prior to the incident, Fort Worth had already planned to move away
from Click2Gov. The city is migrating to a new online-payment system
called Paymentus. This new system does not require the city’s server
to act as a host, and it boasts enhanced security features, Gugliuzza

In the meantime, impacted cardholders are being offered one year of
free credit monitoring by CentralSquare. The impacted cardholders were
sent letters from the city earlier this week that will include unique
customer information on how to take advantage of that offer, and a
follow-up letter will be sent by CentralSquare.

“Regularly check your credit card statements,” Gugliuzza said. “And
when you find charges that you know you didn't make, contact your
credit card company.”

More information about the BreachExchange mailing list