The city of Bakersfield is the latest in a long line of municipalities to be hacked by an unknown agency through its online payment system used by citizens to pay utility bills and building permit fees.
Since fall of last year, a host of cities across the United States have announced that they have been the victims of data breaches stemming from the third-party payment system, Click2Gov.
“This is likely being done by a team with knowledge of Click2Gov,” said Cal State Bakersfield Computer Science Department Chair Melissa Danforth in an email. “The level of sophistication of this group is difficult to judge without knowing how they got the malware onto the systems to begin with.”
Cybersecurity experts have been tracking the incidents as they have been announced.
Danforth referenced a report made by the cybersecurity research firm FireEye, in which the firm claims the hacking group uploaded a computer script onto the Click2Gov server in order to trick the server into revealing sensitive information.
“Now that we have the FireEye report, it is easy to see some very poor software design choices on the part of the vendor, but it is not clear if the city of Bakersfield was aware of these issues until all of this information came to light,” Danforth said.
The city contracts with the vendor, CentralSquare Technologies, previously called Superion, to handle online payments through Click2Gov.
On Monday, the city announced that its Click2Gov system had been breached by an outside entity from Aug. 11 to Oct. 1., exposing the personal and financial information of 2,400 user accounts.
Information such as a person’s name, address, email, payment card number, expiration date and security code were exposed during the breach.
The city has said that it has patched the security flaw and sent notices to those affected by the incident.
In a statement on Monday, the city said, “Safeguarding financial information is the city’s highest priority. The city takes cyber-security very seriously and works daily to ensure all online systems are secured to the highest extent possible.”
Representatives from the city have not responded to requests for comment beyond two statements released Monday.
Other cities from Medford, Oregon to St. Petersburg, Florida, have announced similar breaches, with thousands of users being exposed in each case.
CentralSquare Technologies first acknowledged a problem with its Click2Gov software in October 2017, saying it had notified its customers of suspicious activity and launched an investigation.
As more cities announced breaches throughout 2018, CentralSquare released an update, saying its investigation had revealed that only cities that hosted the company’s system on their own servers had been breached.
“Not a single client in Superion’s data centers or in the Superion Cloud has faced these issues, even when they are using the same software product,” the company said in a statement.
CentralSquare did not respond to a request for comment.
It is unclear if the city of Bakersfield hosts the Click2Gov system on its own servers or used the CentralSquare cloud.
Those who have been affected by the data breach can call 888-278-8028 for more information.