Customer credit card information could have been stolen from the city of Waco water department’s Click2Gov online payment portal earlier this year.
Investigators hired by the city found payment information entered between Aug. 30 and Oct. 14, including names, addresses, credit card numbers, expiration dates and card verification value numbers, could have been stolen by malicious code, according to a city press release.
“Of the 44,000 water customers, typically we receive 12,500 payments online each month,” city spokesman Larry Holze said. “During the period identified, a little over 8,000 customers were mailed letters. Payments made with a credit card inside the water office (not online) are not involved in this incident.”
The third-party vendor that operates Click2Gov first alerted the city of the potential breach Nov. 8, prompting the city’s investigation, according to the press release. The city will send letters this week to customers who might have had their data stolen.
“The notice will include information about the event, measures we have taken in response, and recommendations for protecting personal information in the future,” the press release states. “In the meantime, we encourage all Waco residents to monitor all financial transactions/statements and promptly report any suspicious or unusual charges to the relevant banking institutions.”
The city set up an assistance line at 833-947-1419 to answer questions. The line will be open from 8 a.m. to 8 p.m. Monday through Friday.
The water department has been using Click2Gov to process payments since 2010. Last year, the city notified customers that financial information from about 2,500 online payments in December 2017 and January 2018 that was stored on city servers was not properly encrypted. According to the city, there was no indication the information had been accessed improperly or misused.
Waco is not the only city having security trouble. Gemini Advisory, a cyber security firm, reported widespread breaches of Click2Gov portals in 2017 and 2018. According to a Gemini Advisory report from September, a second wave of attacks starting in August hit eight cities, resulting in records from customers in five states being put up for sale on the dark web.
“Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign,” the report states.
The report does not list Waco among the eight cities affected by the second wave of breaches.