Wellington online payments safe again as 2 new similar hacks surface

The village’s online-billing system is safe to use, Wellington said Tuesday, as reports surfaced of similar breaches in two other cities in the U.S.

The Palm Beach Post reported last week that at least nine other local governments have experienced breaches of billing vendor Superion’s Click2Gov systems. Wellington reported its breach on June 7 after being notified the previous day of vulnerabilities in its system.

RELATED: Wellington’s not alone: Thousands exposed in municipal website breaches

After rebuilding its server and adding layers of security, the village said in a news release that customers of six departments that use Click2Gov to collect payments — building, business license, code, parking tickets, planning and utilities — can safely make payments online once more.

Also Tuesday, reports revealed two more Click2Gov breaches similar to that experienced by Wellington and other cities, in Midwest City, Oklahoma, and Midland, Texas.

WELLINGTON READERS: Sign up for The Post’s weekly newsletter for Wellington news

Statements from Midwest City and Midland officials reveal details that mirror the breach suffered by Wellington and the nine other local governments found by The Post, including Lake Worth, Okaloosa County and Ormond Beach.

Midwest City said it learned of a potential breach on Thursday. “Upon discovery, staff immediately began an investigation and contacted our utility payment vendor, Superion,” the city said in a news release.

The breach there affected up to 2,300 utility customers who made credit or debit card payments using Click2Gov between May 25 and June 21, the city said. As with Wellington and other breaches, automatic payments and payments made via phone, checking account or in person were not affected.

Midwest City said the issue has been corrected and its Click2Gov system is back online.

The breach in Midland lasted longer, that city said in a Monday news release, stretching from December 2017 to this month. Officials there were notified of the potential breach on Friday and, once again, it affected one-time credit and debit card payments. Midland shut down its server and expects it to be online in the coming days, the city said.

In its news release, Midland pointed to other cities’ Click2Gov services that have been affected by breaches. “The vulnerability in Superion’s Click2Gov function is believed to be wide-spread,” the city said.

Superion has said the breaches have only affected local governments who host their own Click2Gov servers on-site, not those who pay more to use servers at Superion’s data centers or on its cloud service.

“To date, Superion has deployed the necessary patch to our software and a related third-party component, and over 99 percent of these customers have applied these patches,” Superion spokeswoman Carol Matthieu said in an email. “At this time, we have no evidence showing that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations. Superion does not control our customers’ networks, so we recommend citizens contact their municipality or county if they have any questions related to security.”

Wellington and other governments have filed reports with law enforcement as the breaches arise. On Tuesday, the village released its report to the Palm Beach County Sheriff’s Office, which has information previously released by Wellington including a timeline of when the breach was discovered and the initial report that only utilities customers were affected. Through forensic analysis by third-party vendor the Sylint Group, Wellington learned the five other departments were affected. Sylint also narrowed Wellington’s breach timeline from July 2017 to February, instead to Nov. 28, 2017, to June 4.

Related breaches

• Lake Worth: April 3, 2017 to Jan. 22

• Goodyear, Ariz.: June 13, 2017 to May 5

• Oceanside, Calif.: July 1 t0 Aug. 13, 2017

• Beaumont, Texas: Aug. 1-24, 2017

• Ormond Beach: Aug. 14 to Oct. 4, 2017

• Fond du Lac, Wis.: August to October, 2017

• Wellington: Nov. 28, 2017 to June 4

• Okaloosa County: December 2017 to March

• Midland, Texas: December 2017 to June

• Thousand Oaks, Calif.: Jan. 4-10

• Midwest City, Okla.: May 25 to June 21

• Oxnard, Calif.: March 26 to May 29, 2017

What to do

Have you been affected by a data breach? Wellington recommends following these steps:

• Review credit card statements and report unauthorized charges, no matter how small, to the card issuer.

• Ask your credit card issuer or bank to deactivate your card and issue a new card.

• Request a fraud alert on your credit file. This will tell creditors to contact you before opening new accounts or changing existing accounts.

• Request credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your credit reports, the Federal Trade Commission recommends that you check your credit reports periodically. Equifax: Equifax.com or 800-525-6285; Experian: Experian.com or 888-397-3742; TransUnion: Transunion.com or 800-680-7289.

Reader Comments ...

Next Up in Local

Jupiter bans medical marijuana dispensaries
Jupiter bans medical marijuana dispensaries

Iraq War veteran Emilio Pages makes a one-hour round trip to either Lake Worth or Stuart in order to get medical marijuana. He will have to continue to drive out of town after Jupiter councilors Thursday night voted 3-2 to ban medical marijuana dispensaries within town limits, despite 69 percent of Jupiter voters supporting the medical marijuana constitutional...
Changing CityPlace: A high-rise apartment complex may be coming
Changing CityPlace: A high-rise apartment complex may be coming

Downtown is about density — attracting enough people to bring it to life, to lure companies with well-paid employees, and residents and tourists with money to spend in shops and restaurants — but without overpopulating streets with cars or blocking sun and water views with walls of glass and concrete. And now in mid-sized West Palm Beach...
Gardens puts drinking water over money in picking buyer for land
Gardens puts drinking water over money in picking buyer for land

City officials selling six acres of surplus property picked the buyer who offered the least money but the firmest promise to protect the region’s current and future drinking water supply. RELATED: Seacoast Utility Authority drills new well in Palm Beach Gardens Seacoast Utility Authority’s offer of $865,000 for the land beat tennis pro...
Hundreds of Riviera Beach employees go unpaid in deposit glitch
Hundreds of Riviera Beach employees go unpaid in deposit glitch

More than 500 Riviera Beach employees didn’t get paid today, after TD Bank failed to post city deposits to their accounts, Finance Director Randy Sherman said this morning. According to Sherman, all employees who get paid by direct deposit were affected — which is roughly 520 people. Paychecks went out, but only a few dozen employees get...
More Stories