Third-party payment platform hit, again

Customers of a Colorado water supplier are the latest victims of a series of attacks on the Click2Gov municipality payment software.

In a statement issued to press on Monday (December 30), Aurora Water said that the personal information of customers who had used the platform between August 30 and October 14 had been impacted.

An unauthorized actor, it explained, had “modified a piece of computer code” used by Click2Gov “to capture limited personal information such as first and last name, billing address, payment card type, payment card number, payment card verification value, and payment card expiration date.”

Only customers who made one-time or set up recurring payments are said to be affected.

Aurora Water, which provides water to 360,000 residents in Aurora, Colorado, said that upon discovering the incident it took “Click2Gov offline for any new reoccurring or one-time payments” and launched an investigation.

Updates to its findings will be posted on a security advisory, it said.

Click2Gov, third-party payment software used for other municipal services such as tax bills or buying building permits, has been subject to attack since its developer, Superion, publicly disclosed a security vulnerability in October 2017. A patch was issued in June 2018.

By late 2018, however, nearly 300,000 payment cards had been compromised through Click2Gov flaws, stretching across 46 locations in the US, according to the threat intelligence firm Gemini Advisory.

It added that Superion, now part of CentralSquare Technologies, had said “despite broad patch deployment the system remains vulnerable for an unknown reason.”

Gemini reported more Click2Gov breaches in September 2019, compromising 20,000 customer records in towns that had already patched Click2Gov systems.

Risk Based Security estimates that there are between 600 and 6,000 Click2Gov installations in US and Canada municipalities.

That will soon be one installation fewer since Aurora Water is transitioning to an alternative payment system, Paymentus – a decision made before Monday’s breach announcement.

Aurora Water said it is in the process of notifying individuals who may have been affected.

“Aurora Water is committed to protecting the security of our customers’ information and the integrity of our payment systems is of the highest importance,” it said.

“We would like to remind customers who pay their bills online that it is good practice to review their bank and credit card statements carefully and report any unusual activity to their financial institutions.”

CentralSquare Technologies declined to comment for “security and confidentiality reasons”.

YOU MIGHT ALSO LIKE Ryuk ransomware implicated in City of New Orleans shutdown