DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Eight cities impacted in second wave of Click2Gov breaches – Gemini Advisory

Posted on September 19, 2019 by Dissent

It’s been a rough year for municipalities, and it’s only likely to get worse. While we read more and more reports of school districts becoming victims of ransomware attacks that delayed school openings or caused school closings, we have also read numerous reports of municipal police and law enforcement sites being defaced, and other municipal sites being attacked with ransomware.

And then there were the Click2Gov reports. In 2018, this site noted more than four dozen cases of municipalities reporting hacks of their payment portals that used Click2Gov software. CentralSquare Technologies, the manufacturer of Click2Gov, had provided this site with a statement claiming that only municipalities who were self-hosting the software were affected.

In the first wave of attacks, Gemini Advisory analysts informed DataBreaches.net that as of December, 2018, more than 300,000 Card Not Present payment card records had been found up for sale on the dark web.

The breach reports continued into March, 2019, but for the last six months, there had been no new reports. Until Stanislav Alforov, Gemini Advisory‘s Director of Research, contacted this site recently to report that they had discovered what appeared to be a second wave of attacks involving Click2Gov. In an approximate one-month period, their analysts had found 20,000 payment card records up for sale on the dark web. The records appeared to be linked to 8 cities in five states, and further investigation revealed that these cities were all using Click2Gov.

Unfortunately for six of the eight cities, it was the second time they had experienced a breach involving Click2Gov.


The eight cities are Deerfield Beach (FL), Palm Bay (FL), Milton (FL), Coral Springs (FL), Bakersfield (CA), Pocatello (ID), Broken Arrow (OK), and Ames (IA). Only Pocatello and Broken Arrow had not experienced previous Click2Gov breaches.


Of note, and unlike the first wave when many of those affected had local installations of the software that had not been updated or patched, Gemini’s analysts confirmed that many of the newly affected towns were operating patched and up-to-date Click2Gov systems at the time they experienced a breach.

DataBreaches.net contacted CentralSquare Technologies to ask them for their comments on the current situation. In response, they sent a statement that said, in relevant part:

We have recently received reports that some consumer credit card data may have been accessed by unauthorized or malicious actors on our customers’ servers. It is important to note that these security issues have taken place only in certain towns and cities.

We have immediately conducted an extensive forensic analysis and contacted each and every customer that uses this specific software, and are working diligently with them to keep their systems updated and protected.

That statement almost seems to imply that the affected municipalities systems’ had not been updated and properly protected. That statement appears to conflict with Gemini’s findings that the municipalities they spoke with were using updated and patched installations.

DataBreaches.net asked CST to confirm whether the “specific software” reference in their statement was to Click2Gov or if it was a reference to some other software.  Their spokesperson confirmed that they were referring to Click2Gov software and added

Based on our current investigation, the vulnerability existed for a limited number of Click2Gov customers, and has been closed. At this time, only a small number of customers have reported unauthorized access.

Based on Gemini Advisory’s statements to this site and their new report, it sounds like someone did find and exploit a new vulnerability.  And as Gemini Advisory notes in their report, that should not be surprising:

Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign.

You can read Gemini Advisory’s report here.

Update of October 4:  Bakersfield announced that it is terminating its relationship with Click2Gov.

Update of November 15:  About 3,500 residents of Pocatello were affected.

Category: Government SectorHackOf NoteU.S.

Post navigation

← Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
Presbyterian Health business associates disclose breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.