[BreachExchange] Cities are fleeing payment platform Click2Gov after data-breach resurgence

[Destry Winant]

https://statescoop.com/ux-user-experience-click2gov-data-breach-cities/

Over 2017 and 2018, dozens of small and midsize cities across the
United States had to tell their residents that their personal data had
potentially been included in data breaches linked to Click2Gov, a
popular platform that many local governments use to process online
payments for things like utilities, parking tickets and other fees
that cities collect.

Cities that were breached scrambled to shut down their online payments
systems and mitigate the situation, while hundreds or thousands of
residents received notices that their names and credit card
information had been exposed to potentially malign actors. Click2Gov’s
publisher, then known as Superion, said in July 2018 the breaches
could be attributed to vulnerabilities in Oracle’s WebLogic
application server, which the breached cities had used to run
Click2Gov.

Local governments using Click2Gov — a number that was estimated to be
as high as 6,000 — installed security patches, and the rash of
breaches appeared to have subsided. But last August, the exposures
started up again, with another group of cities, including several that
had been targeted in the first wave, like Ames, Iowa, and Bakersfield,
California, reported their residents’ information being compromised.
Once again, cities that have tried to make citizen services more
convenient by putting them online find themselves scrambling to
reassure their residents, hand out free credit-monitoring services and
look for a more secure software solution.

‘We rallied all our resources’

This time, researchers say, the fix might not be as simple as patching
an application server.

“I think there may be issues with an Oracle product, but I don’t think
that’s the sole cause,” said Inga Goddijn, the executive vice
president of Risk Based Security, a cybersecurity consulting firm that
studied the previous run of Click2Gov breaches.

One detail the recent breaches have in common is that they appear to
affect customers who make one-time payments, but not people who enroll
in automatic monthly billing. That was the case in Bend, Oregon, where
last month 5,000 utility customers received notices in the mail that
their personal information had been included in a Click2Gov data
breach, said Stephanie Betteridge, chief innovation officer for the
city 98,000 residents.

Betteridge said it took some time for Click2Gov’s publisher — now
called CentralSquare, following a late 2018 merger between Superior
and two other firms — to confirm the nature of the Bend breach.
Betteridge said her office was aware of previous incidents involving
Click2Gov, but was only initially notified by CentralSquare about a
data security incident in Bend on Dec. 16. Details were sparse,
though.

“There was no confirmation on the scope or nature of it,” she said.
“So we rallied all our resources, and at that point, we started our
own investigation to really try and determine the nature and scope so
we could take our own action.”

Betteridge said that Bend officials, with the help of cybersecurity
firm Cylance, was able to determine that a threat actor was inserting
malicious code into the a one-time payment form running on Click2Gov.
She said CentralSquare didn’t confirm the information until Jan. 6,
and the next day, the city notified its residents and started sending
out notices to affected customers.

The response to a breakdown in digital government is an exercise in
retail public service: Bend City Hall has pumped out press releases,
Betteridge and other officials have given numerous interviews, and the
city’s even set up a call center for residents worried about the
exposure of their personal information. She said only 87 people have
called so far, though 327 have taken up the city’s offer of a free
year of credit monitoring.

‘Insecure software costs more’

Bend is moving on from Click2Gov to a new online payments system
called InvoiceCloud, which Betteridge said she selected for its
security features.

“They were the only product that could adhere to the [Payment Card
Industry] Data Security Standard,” she said, referring to a security
framework issued by a coalition of major credit-card firms. “They
really had the most robust security. And to us that was critical.”

While Betteridge said the transition was already planned, the
experience of going through a data breach prompted her office to speed
up the timeline. The first features of Bend’s new InvoiceCloud
platform will go live in the next three to four months, she said,
though new utility billing system won’t be ready for another nine
months.

Bend’s not the only city fleeing Click2Gov. Officials in College
Station, Texas, terminated their contract with CentralSquare after
learning last November that 11,000 utility customers had had their
data exposed. College Station has since signed on with another
competitor, Paymentus, in a contract that will be more expensive than
what it was paying CentralSquare.

But those investments are necessary, said Goddijn.

“At the end of the day, insecure software costs more,” she said. “If
you have a bad breach, that kicks off not just the immediate
remediation, but now you have time and resources going into moving
into a new system. There’s no getting around it these days. Clearly
attackers are making money off of exploiting weak software.”

While the actors behind the most recent wave of Click2Gov attacks
haven’t been identified, the last round was indeed lucrative.
According to threat intelligence firm Gemini Advisory, data collected
in the 2017 and 2018 Click2Gov breaches fetched $1.9 million on the
dark web.

CentralSquare did not respond to requests for an interview about the
most recent spate of data breaches. But to Betteridge, the Bend CIO,
the incident was a test to maintain the confidence of her city’s
residents.

“I think any time your customers are impacted, you want to be able to
respond to them as quickly as possible,” she said. “Public trust is
critical to us. And we want to do everything to protect our
customers.”