[BreachExchange] Click2Gov Parking System in Saint John City, Canada Hacked For Two Straight Years

[Destry Winant]

https://hackercombat.com/click2gov-parking-system-in-saint-john-city-canada-hacked-for-two-straight-years/

The public parking payment system used by Saint John, a port city in
New Brunswick, Canada is the latest victim of zero-day exploits.
Click2Gov payment system, which handles the city’s payment operations
was attacked by hackers using zero-day exploits since May 2017. For
almost two years, the city’s servers hosting the Click2Gov payment
system has been infiltrated by known outsiders, exposing confidential
customer information stored in the servers.

“Multiple instances when an unknown source gained access to
confidential customer information on the city’s server through the
Click2Gov payment system. This gives reason to believe that the breach
could impact anyone who has paid a city-issued parking ticket over the
past two years, from early 2017 to December 16, 2018,” explained the
city’s spokesperson.

Apparently, the Click2Gov payment system infiltrated in the city of
Saint John contains the following sensitive information about their
customers:

- Full name
- Mailing address
- Credit card number and its expiry date
- Credit card security code

These information in aggregate is enough for threat actors to use in
an identity theft activity. The city in itself has no IT forensic
capacity to further probe the data breach, they discovered the
infiltration using zero-day attacks with the help of a 3rd party
cybersecurity consulting contractor hired by CentralSquare
Technologies, the city’s technical partner which helps conduct the
forensic investigation.

“This gives reason to believe that the breach could impact anyone who
has paid a city-issued parking ticket over the past two years, from
early 2017 to December 16, 2018,” added the city’s spokesperson.

At the time of this writing, Saint John port city’s parking payment
system is turned-off and it will remain under the maintenance downtime
for the entire duration of the investigation. “The city apologizes to
customers who have been impacted by the data breach. Cyber attacks can
happen at any time and the city makes every effort to protect the
confidential information of all customers, citizens and employees,”
concluded the city’s spokesperson.

Another cybersecurity consulting firm, Risk Based Security noted that
the malware used for the zero-day attack was “very sneaky and quite
hard to detect. This is clearly targeted by a highly skilled attacker
who is well-versed in Click2Gov.” Central Square on their end has
mentioned that they have patched the parking payment system, hence the
zero-day flaw should have been fixed. “despite broad patch deployment
the system remains vulnerable for an unknown reason … [I]t appears
that the attackers uncovered another undetected vulnerability, which
has yet to be patched,” said CentralSquare’s representative.

Click2Gov system is used by at least 600 clients in the United States
and not just operating in Canada. They need to get their act together
to ascertain that all their systems similar to the one deployed in
Saint John are patch to address vulnerabilities. It is unfortunate,
but there is a delicate balance between allocating and spending funds
to find critical bugs in a system vs the capability of a service
provider to make sure all their clients have a bug-free system. It
requires aggressive patch management and change management in order to
at least not to fall for known vulnerabilities, let alone a zero-day
bug.