UPDATE (Jan. 7, 1:32 p.m. PT) — A private contractor hired by cities across the U.S. to handle public utility payments has again failed to secure credit card information for thousands of customers, this time in Bend.
The city of Bend is in the process of notifying about 5,000 people that a “malicious code may have been inserted” into the online portal that most people use to pay their utility bills, leaving these customers vulnerable to credit card fraud, according to a Tuesday press release from the city.
The release alerts any customer who paid a utility bill online between Aug. 30, 2019, and Oct. 14, 2019, to monitor their financial accounts and report any suspicious activity to banks. The potentially exposed information includes cardholder name, billing address, card number, type, security code and expiration date.
The incident “was not due to a vulnerability of the City’s infrastructure, systems, or security,” according to the release, which places responsibility on a vendor hired by the city, CentralSquare, a software company managing payments for numerous governments and health care systems.
CentralSquare has a recent track record of security breaches. The company's Click2Gov platform has been hacked repeatedly since 2017, according to various tech industry websites.
Last fall, ArsTechnica reported dozens of cities and tens of thousands of people's credit card information was compromised and sold on the darknet. In July 2018, more than a 1,000 Medford utility customers had information hacked through Click2Gov, according to the Medford Mail Tribune.
In an email exchange, CentralSquare declined to answer how many cities and people have been affected by the data breaches and what it’s doing to secure the systems.
“For security and confidentiality reasons, we cannot disclose any information about our customers, their environments or their security,” a spokesperson who did not provide their name said in an email.
City of Bend Chief Innovation Officer Stephanie Betteridge would not say when the city learned of the potential exposure, only that the information came from CentralSquare. Waco, Texas, warned water customers of a similar breach around a month ago.
“This is an open and ongoing investigation and we're not able to speak to any specifics,” Betteridge said. The investigation includes CentralSquare, contracted forensic investigators, Bend Police and the FBI.
She said she wasn’t aware of any customers who have been defrauded due to the possible exposure of their credit card information.
Betteridge said the payment portal is now secure, and the city is planning to switch to a different payment platform as soon as possible.
More information about the scope of the breach will be released as the investigation continues, according to Betteridge, who added she was not aware of who may have perpetrated the attack.
Affected customers in Bend will be notified by mail, and the city has set up a call center to field concerns at 1-844-987-1209.
Those whose data was compromised will be offered one year of credit and identity monitoring services.
“Because this is our new normal, it's incumbent on everyone to be diligent and monitor their credit cards and their bank accounts and notify the e-credit card companies or their banks if they suspect fraudulent activity,” Betteridge said.
The malware attack comes amidst years of cyberattacks on municipalities and hospital systems around the country. Security measures for local governments are often out of date, while sensitive data is collected to provide essential services.
Betteridge said in this case only credit card information was potentially compromised, not other forms of identifying information. The city of Bend carries insurance against instances of cyberattacks.