Click2Gov Breaches Expose Government User Data

Hundreds of thousands of payment records have been stolen from nearly 50 municipalities that license the Click2Gov software, a bill paying technology widely used by local governments.

The cyber robbers have made off with nearly 300,000 payment records since August, 2017, netting at least $1.7 million through sales of pilfered bank cards on the dark web, according to an analysis based on news reports and data compiled over the last 18 months by IT services provider Gemini Advisory.

Gemini was able to tie the breaches to the same hacking group, wrote Stas Alforov, Gemini’s research and development director, in a blog post. In addition, the IT services provider pieced together the total number of stolen cards and affected municipalities, he said.

“As early as the spring of 2017 there have been numerous reports by local news outlets and researchers that identified various instances of payment card compromises which were attributed to local utility payment systems,” Alforov said. “The majority of the reporting claimed that the point of compromise was due to a payment software called Click2Gov which was hosted on local servers.”

Here are some of Gemini’s findings:

  • The first breach of Click2Gov software publicly reported occurred in August, 2017 in Oceanside, California
  • The most recent case of Click2Gov compromise, yet to be disclosed publicly, occurred in Pompano Beach, Florida.
  • There are 46 confirmed compromised U.S. locations and one in Canada. All but six breaches took place last year.
  • There are at least 600 or as many as thousands of installations of Click2Gov in the U.S. and Canada.
  • The breaches are part of the larger hacking operation conducted by the same hacking group and are not random in nature.
  • Despite broad patching by Superion, the software developer, the platform remains vulnerable.
  • The affected systems were all locally hosted. A cloud-based version of the Click2Gov was not affected.

Just in the past 30 days, Gemini said it has identified some 12,283 compromised payment cards associated with the Click2Gov breaches, despite Superion’s insistence that it found no evidence the system was unsafe either on fully-patched hosted or secure on-premise networks, Alforov said.

Several large financial institutions have confirmed a breach in the local online utility payment system in the following cities: (you can find a full list of cities hit by the crew and a map of victims' locations on the blog)

  • Laredo, Texas: 38,666
  • Pompano Beach, Florida: 9,817
  • Lacey, Washington: 6,604
  • Hanover County, Virginia: 5,937
  • Topeka, Kansas: 4,064

As for the culprits, Gemini has identified two people it believes are responsible for peddling the payment card data on the dark web. “With a high degree of confidence we assess that both actors belong to the same hacking group responsible for the attacks on Click2Gov clients,” Alforov said.

Because the Click2Gov software remains vulnerable, Gemini is advising users to find another way to pay until the threat has been eliminated.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.