Bruno reports:
The hackers of the city parking fine system in Saint John, Canada have been selling sensitive data on the dark web for over a year.
The security breach in the system was not spotted for 15 months after the initial attack, which ultimately allowed the hackers to gain personal information and credit card numbers of 6,000 Canadian residents.
Read more on DarkWebNews.
The report left me confused– not because the reporting was confusing, but because Saint John didn’t seem to have known about the breach when it seems that they likely should have known about it.
DataBreaches.net reached out to Gemini Advisory, who had issued a report on the Click2Gov breach in December. They provided the following statement, which includes a very troubling allegation:
We identified various affected cities in our initial findings related to the Click2Gov Breach, and we sent all of this information to CentralSquare Technologies (CST) on November 28, before we published any information about this breach online. It appeared that from all of the information we provided, CST only reached out to and notified the city of Topeka, Kansas.
After a few email exchanges and halted responses from CST, we pushed out our full blog, which covered the breach and all of the affected cities. Our blog was picked up by various news outlets, including ITworld. A week or so afterward, the city of Saint John reached out to us directly. While the city initially communicated that it was not aware of any breach of its Click2Gov portal, after Gemini turned over all of its findings to the city, Saint John pushed a breach notification message to its residents.
We have also reached out directly to Hanover County to notify it that it is a victim of the Click2Gov breach since the county’s compromised payment card information was posted for sale several weeks after our publication. Shortly after receiving our information and after conducting an internal analysis, Hanover Country sent out a breach notification to its residents. At this time, Gemini Advisory has turned over all of its findings to US Federal Law Enforcement for further analysis and for further victim notification.
DataBreaches.net reached out to CentralSquare Technologies to ask them to respond to the allegation that they had not notified the entities Gemini Advisory had found to be compromised. They sent the following statement in response:
Throughout last year and this year, we took proactive steps to keep all of our customers informed while working with them to keep their local on-premise systems updated and protected. It is important to note that these security issues have taken place only in on-premise environments in certain towns and cities that choose to host their own systems locally. No customer in the CentralSquare Cloud has faced these issues, even when they are using the same software.
We continually work with each customer to help identify risk, while working with them to apply the latest patches and updates available for these systems, including patches for the third-party software that contributed to the issue.
For security and confidentiality reasons, we cannot disclose any information about our customers, their environments or their security.
So is that an actual denial of Gemini’s claim that only one entity was notified by CST? If Gemini notified CST on November 28, how is it that Saint John wasn’t notified and had to find out from a media report?
Note that it was not just Gemini that attempted to notify CST. A spokesperson for FireEye tells DataBreaches.net:
Superion, now Central Square Technologies, was provided an advanced copy of the FireEye blog ‘Click It Up: Targeting Local Government Payment Portals‘, published on September 19, 2018. Representatives of the company did not comment on the blog prior to publication.
In a follow-up response, the spokesperson clarified that Superion never responded directly at all to the advanced copy of the blog, although FireEye did get a read receipt.
Should the FTC and/or state attorneys general be investigating this widespread incident? I would hope that some regulator is at least looking into it, especially if we are being told that no less than two firms tried to give them the heads up and valuable information that might have protected municipalities.
As always, coverage will be updated as more information becomes available.