The City of St. Petersburg, Fla., published a press release announcing a data breach of the third-party Click2Gov self-service payment which affected users who made payments between August 11, 2018, and September 25, 2018, using their credit cards.
Click2Gov is a third-party payment software made by Superion and designed as a portal which allows local government services payments such as business licenses, utility bills, civil citations, parking tickets, and building permits via the Internet.
On September 27, the city was informed by Click2Gov's vendor that their server was compromised and malicious software was collecting their customers' information.
"The breach only affected users of the online Click2Gov system who made payments for utility bills, parking tickets, business licenses, building permits, or civil citations by credit card between Aug 11, 2018, and Sept 25, 2018," says St. Pete's press release. "Any payments made in person, via the phone system, via E-Check or to any other city systems were not impacted."
This is not the first such incident seeing that Superion, Click2Gov's developer issued an alert confirming suspicious activity on the payments portals of some of their customers in October 2017.
At least eighteen other US cities were affected by a Click2Gov data breach since May
Furthermore, in June 2018 Superion published a press release saying that all Click2Gov customers have been notified to patch the Oracle Web Logic module which was vulnerable to attacks and the entry point used by threat actors to compromise their servers.
Since May 2018 when the City of Oxnard's Click2Gov-based payment platform was also affected, the Click2Gov payment portal of at least three other municipalities was also breached, with payment card data being leaked.
Also, although no public breach alerts were issued, there are signs that up to eighteen other cities were the victims of this Click2Gov data breaching campaign after multiple security incidents and complaints of extra credit cards charges from users were received according to Risk Based Security.
According to an analysis by FireEye published on September 19, once the server is compromised, attackers upload a JavaServer Pages (JSP) SJavaWebManage web shell used for persistence purposes and to enable debug mode for collecting credit card payment info in plaintext files.
The payment logs are exfiltrated using a tool named FIREALARM, while further credit card data is intercepted by sniffing the web traffic with the help of a second tool, SPOTLIGHT.
Although the City of St. Petersburg, Florida, did not provide extra information on what data the bad actors were able to siphon, previous incidents affecting the Click2Gov payment portal point to credit card numbers, verification numbers, expiration dates, as well as names and addresses being stolen.
Update: Modified the information regarding the total number of other US cities affected by Click2Gov breaches according to a new report by Risk Based Security.