DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

St. Petersburg timeline on Click2Gov raises questions as to whether the vendor was proactive or not

Posted on October 2, 2018 by Dissent

I have commented on the Click2Gov breach a few times — mostly wondering aloud why so many customers do not seem to have been made aware that they needed to update immediately, etc.   Both RBS and FireEye have both discussed the Click2Gov incident in more depth.

But now look at this disclosure from St. Petersburg, which I am reproducing in full below. The timeline raises a lot of questions, I think.

We have learned of a data security incident that occurred between August 11, 2018 and September 25, 2018 that involved some of our customers’ credit card information.

The City of St. Petersburg utilizes a third-party software product called Click2Gov to provide our customers with the ability to pay utility bills, parking tickets, business licenses, building permits, and civil citations online via the Internet.

On Thursday, Sept 27, 2018 the Click2Gov vendor informed the city that they had found malicious software on the server. Our payment site was immediately shut down to prevent access. The city preserved the existing system for forensic analysis and immediately worked with our vendor to build a new system. By 1:30 pm on Friday, Sept 28, 2018 the city had a new system configured and was back in a fully operational mode.

Timeline of events

  • Contacted the vendor regarding Ormond Beach press release “Online Utility Billing Payment System Potential Breach 10/13/17
  • Requested vendor to review our system 10/16/17
  • Vendor scanned our system and applied critical security updates 1/8/18
  • Subsequent updates released and installed on 4/5/18, 5/21/18, and 8/15/18
  • Contacted vendor to report we were having intermittent issues with our online payments system being down and they accessed our system to research on 9/21/18.
  • Contacted vendor as follow up to this issue and requested them to access our system once again to identify the problem on 9/26.
  • Follow up call to notify vendor the site was down once again, the vendor connected to our system at 11:24 AM on 9/27/18.
  • We were notified by the vendor at 1:30PM that our system had been breached and it was immediately taken down to prevent further access.
  • Migrated to new server configuration and online payments system was made available to the public by 2:00PM 9/28/18

The infected system was reviewed by a vendor, specializing in forensic analysis, and their preliminary findings indicate that the Click2Gov pages used to accept credit card information had been breached. The breach only affected users of the online Click2Gov system who made payments for utility bills, parking tickets, business licenses, building permits, or civil citations by credit card between Aug 11, 2018 and Sept 25, 2018. Any payments made in person, via the phone system, via E-Check or to any other city systems were not impacted.

The City of St. Petersburg takes protection of our data systems very seriously and constantly patches all our systems so that risks to our customer data can be minimized. The Click2Gov system had security patches applied to it in January, April, May and August of this year. In addition, the city also performs internal and external testing to ensure that the systems are not prone to any known vulnerabilities.

If you think you have been affected

  1. As a first step, we recommend that you closely monitor your financial accounts and if you see any unauthorized activity, promptly contact your financial institution. We also suggest that you submit a complaint with the Federal Trade Commission by calling 1 (877) 438-8228 (1-877-IDTHEFT) or online at www.ftccomplaintassistant.gov .
  2. As a second step, you may want to contact the three U.S. credit reporting agencies (Equifax, Experian, and TransUnion) to obtain a free credit report from each by calling 1 (877) 322-8228 or by logging onto www.annualcreditreport.com .

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit reports periodically can help you spot a problem and address it quickly.

If you feel you’ve been a victim of identity theft, you should file a police report with your local law enforcement agency. If you live in St. Petersburg, call St. Petersburg Police at 727-893-7780 to file a report over the phone. You can also do it on line, go to www.police.stpete.org and scroll down and click on the eagle link.

We sincerely apologize for the inconvenience this incident has caused you. This notice has not been delayed for the purpose of completing an investigation in this matter, and we will keep you informed of any developments in the investigation that may be of importance to you.

Note: This notice was only sent to users who were possibly affected by the breach.

Updated October 13, 2018: And here’s yet another city that is first making notifications:
City of Indio notification.

Category: Commentaries and AnalysesGovernment SectorOf NoteSubcontractor

Post navigation

← Oklahoma DHS could have sent private medical info to wrong addresses
NY: Honeoye Falls-Lima school computer networks hacked; student records, personal information breached [UPDATED] →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.