DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Stolen Credit Card Data from City Parking Systems Sold on the Dark Web

Posted on February 8, 2019 by Dissent

Bruno reports:

The hackers of the city parking fine system in Saint John, Canada have been selling sensitive data on the dark web for over a year.

The security breach in the system was not spotted for 15 months after the initial attack, which ultimately allowed the hackers to gain personal information and credit card numbers of 6,000 Canadian residents.

Read more on DarkWebNews.

The report left me confused– not because the reporting was confusing, but because Saint John didn’t seem to have known about the breach when it seems that they likely should have known about it.

DataBreaches.net reached out to Gemini Advisory, who had issued a report on the Click2Gov breach in December. They provided the following statement, which includes a very troubling allegation:

We identified various affected cities in our initial findings related to the Click2Gov Breach, and we sent all of this information to CentralSquare Technologies (CST) on November 28, before we published any information about this breach online. It appeared that from all of the information we provided, CST only reached out to and notified the city of Topeka, Kansas.

After a few email exchanges and halted responses from CST, we pushed out our full blog, which covered the breach and all of the affected cities. Our blog was picked up by various news outlets, including ITworld. A week or so afterward, the city of Saint John reached out to us directly. While the city initially communicated that it was not aware of any breach of its Click2Gov portal, after Gemini turned over all of its findings to the city, Saint John pushed a breach notification message to its residents.

We have also reached out directly to Hanover County to notify it that it is a victim of the Click2Gov breach since the county’s compromised payment card information was posted for sale several weeks after our publication. Shortly after receiving our information and after conducting an internal analysis, Hanover Country sent out a breach notification to its residents. At this time, Gemini Advisory has turned over all of its findings to US Federal Law Enforcement for further analysis and for further victim notification.

DataBreaches.net reached out to CentralSquare Technologies to ask them to respond to the allegation that they had not notified the entities Gemini Advisory had found to be compromised. They sent the following statement in response:

Throughout last year and this year, we took proactive steps to keep all of our customers informed while working with them to keep their local on-premise systems updated and protected. It is important to note that these security issues have taken place only in on-premise environments in certain towns and cities that choose to host their own systems locally. No customer in the CentralSquare Cloud has faced these issues, even when they are using the same software.

We continually work with each customer to help identify risk, while working with them to apply the latest patches and updates available for these systems, including patches for the third-party software that contributed to the issue.

For security and confidentiality reasons, we cannot disclose any information about our customers, their environments or their security.

So is that an actual denial of Gemini’s claim that only one entity was notified by CST?  If Gemini notified CST on November 28,  how is it that Saint John wasn’t notified and had to find out from a media report?

Note that it was not just Gemini that attempted to notify CST.  A spokesperson for FireEye tells DataBreaches.net:

Superion, now Central Square Technologies, was provided an advanced copy of the FireEye blog ‘Click It Up: Targeting Local Government Payment Portals‘, published on September 19, 2018. Representatives of the company did not comment on the blog prior to publication.

In a follow-up response, the spokesperson clarified that Superion never responded directly at all to the advanced copy of the blog, although FireEye did get a read receipt.

Should the FTC and/or state attorneys general be investigating this widespread incident? I would hope that some regulator is at least looking into it, especially if we are being told that no less than two firms tried to give them the heads up and valuable information that might have protected municipalities.

As always, coverage will be updated as more information becomes available.

No related posts.

Category: Breach IncidentsCommentaries and AnalysesGovernment SectorSubcontractorU.S.

Post navigation

← Update: Hackers release CarePartners employees’ wage statements and other financial files
Cybersecurity for small business: Email authentication →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.