[BreachExchange] Security breach threatens credit card info of 8, 000 Marietta utility customers

Destry Winant destry at riskbasedsecurity.com
Fri Dec 20 10:06:52 EST 2019


MARIETTA, Ga. (CBS46) -- The City of Marietta was informed by one of
its software vendors, Central Square Technologies, that there was a
serious security breach in their utility payment system, Click2Gov.

Targeted in that breach was customer credit card information.

Customers who made payments on the City website via Click2Gov between
August 26 – October 26, 2019 with a credit card, could have had that
credit card information compromised.

A customer’s credit card information would only be at risk if that
person manually entered their credit card information on the Click2Gov
application during that time frame. Customers enrolled in the auto pay
system prior to or after those dates, and those who have paid in
person, by mail, and over the phone during those dates were not
affected. Additionally, tax payments are not affected.

“So if they saved their credit card in the wallet feature, that was
NOT compromised,” said Ronnie Barrett, the IT Director for the City of
Marietta and Marietta Power and Water. “It was just the people who
manually entered their credit card in for a one-time payment.”

Officials with Central Square Technology told the City that they do
not have evidence showing that any Marietta customer transaction was,
in fact, compromised.

The FBI is now investigating the data breach, as over 30 cities in the
United States use the Click2Gov platform.

“We were originally notified December 2nd and then the FBI contacted
us on December 3rd,” said Barrett. “It became an active investigation
and we weren’t at liberty to discuss the ongoing investigation until
just recently. You get a phone call from the FBI, obviously it’s a
little nerve-wracking.”

Central Square Technologies told Marietta officials that they have
corrected the issue and that no customer credit card data has been at
risk since they made the correction. Central Square Technologies has
agreed to offer free credit monitoring for impacted customers through

Marietta will send letters out to those individuals as well, to inform
them of next steps.

CBS46 asked the City’s IT Director if they might consider switching
vendors, due to the breach.

“The vendor has been here a long time, and this is the first
compromise we’ve experienced. We’re going through a process with them
to make sure we understand what happened fully,” said Barrett. “They
have assured us they have repaired this particular vulnerability…and
it’s a potential compromise, not a verifiable compromise at this time,
so that’s something we’ll have to continue to have discussions about
and if we need to move in another direction, we will have to do that
over time because it’s a very complicated system that would have to be
re-engineered,” he said.

Security expert Janice Toms says consumers should do their homework
before using 3rd party websites, because they don’t all follow the
same set of standards.

“Security, in general, is like peeling back an onion, companies do
what they need to do to be compliant, but how deep that goes, is up to
the company’s concern on risk,” she said.

Toms is the owner of TeamLogic IT, which provides IT services, and
solutions. She says hackers are becoming increasingly sophisticated.

“People that hack into these companies are professionals, they
understand exactly what they’re doing and the level they take it. And
so consumers need to make sure they are protected,” she said.

More information about the BreachExchange mailing list