It’s been a rough year for municipalities, and it’s only likely to get worse. While we read more and more reports of school districts becoming victims of ransomware attacks that delayed school openings or caused school closings, we have also read numerous reports of municipal police and law enforcement sites being defaced, and other municipal sites being attacked with ransomware.
And then there were the Click2Gov reports. In 2018, this site noted more than four dozen cases of municipalities reporting hacks of their payment portals that used Click2Gov software. CentralSquare Technologies, the manufacturer of Click2Gov, had provided this site with a statement claiming that only municipalities who were self-hosting the software were affected.
In the first wave of attacks, Gemini Advisory analysts informed DataBreaches.net that as of December, 2018, more than 300,000 Card Not Present payment card records had been found up for sale on the dark web.
The breach reports continued into March, 2019, but for the last six months, there had been no new reports. Until Stanislav Alforov, Gemini Advisory‘s Director of Research, contacted this site recently to report that they had discovered what appeared to be a second wave of attacks involving Click2Gov. In an approximate one-month period, their analysts had found 20,000 payment card records up for sale on the dark web. The records appeared to be linked to 8 cities in five states, and further investigation revealed that these cities were all using Click2Gov.
Unfortunately for six of the eight cities, it was the second time they had experienced a breach involving Click2Gov.
The eight cities are Deerfield Beach (FL), Palm Bay (FL), Milton (FL), Coral Springs (FL), Bakersfield (CA), Pocatello (ID), Broken Arrow (OK), and Ames (IA). Only Pocatello and Broken Arrow had not experienced previous Click2Gov breaches.
Of note, and unlike the first wave when many of those affected had local installations of the software that had not been updated or patched, Gemini’s analysts confirmed that many of the newly affected towns were operating patched and up-to-date Click2Gov systems at the time they experienced a breach.
DataBreaches.net contacted CentralSquare Technologies to ask them for their comments on the current situation. In response, they sent a statement that said, in relevant part:
We have recently received reports that some consumer credit card data may have been accessed by unauthorized or malicious actors on our customers’ servers. It is important to note that these security issues have taken place only in certain towns and cities.
We have immediately conducted an extensive forensic analysis and contacted each and every customer that uses this specific software, and are working diligently with them to keep their systems updated and protected.
That statement almost seems to imply that the affected municipalities systems’ had not been updated and properly protected. That statement appears to conflict with Gemini’s findings that the municipalities they spoke with were using updated and patched installations.
DataBreaches.net asked CST to confirm whether the “specific software” reference in their statement was to Click2Gov or if it was a reference to some other software. Their spokesperson confirmed that they were referring to Click2Gov software and added
Based on our current investigation, the vulnerability existed for a limited number of Click2Gov customers, and has been closed. At this time, only a small number of customers have reported unauthorized access.
Based on Gemini Advisory’s statements to this site and their new report, it sounds like someone did find and exploit a new vulnerability. And as Gemini Advisory notes in their report, that should not be surprising:
Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign.
You can read Gemini Advisory’s report here.
Update of October 4: Bakersfield announced that it is terminating its relationship with Click2Gov.
Update of November 15: About 3,500 residents of Pocatello were affected.