The village’s online-billing system is safe to use, Wellington said Tuesday, as reports surfaced of similar breaches in two other cities in the U.S.
The Palm Beach Post reported last week that at least nine other local governments have experienced breaches of billing vendor Superion’s Click2Gov systems. Wellington reported its breach on June 7 after being notified the previous day of vulnerabilities in its system.
After rebuilding its server and adding layers of security, the village said in a news release that customers of six departments that use Click2Gov to collect payments — building, business license, code, parking tickets, planning and utilities — can safely make payments online once more.
Statements from Midwest City and Midland officials reveal details that mirror the breach suffered by Wellington and the nine other local governments found by The Post, including Lake Worth, Okaloosa County and Ormond Beach.
Midwest City said it learned of a potential breach on Thursday. “Upon discovery, staff immediately began an investigation and contacted our utility payment vendor, Superion,” the city said in a news release.
The breach there affected up to 2,300 utility customers who made credit or debit card payments using Click2Gov between May 25 and June 21, the city said. As with Wellington and other breaches, automatic payments and payments made via phone, checking account or in person were not affected.
Midwest City said the issue has been corrected and its Click2Gov system is back online.
The breach in Midland lasted longer, that city said in a Monday news release, stretching from December 2017 to this month. Officials there were notified of the potential breach on Friday and, once again, it affected one-time credit and debit card payments. Midland shut down its server and expects it to be online in the coming days, the city said.
In its news release, Midland pointed to other cities’ Click2Gov services that have been affected by breaches. “The vulnerability in Superion’s Click2Gov function is believed to be wide-spread,” the city said.
Superion has said the breaches have only affected local governments who host their own Click2Gov servers on-site, not those who pay more to use servers at Superion’s data centers or on its cloud service.
“To date, Superion has deployed the necessary patch to our software and a related third-party component, and over 99 percent of these customers have applied these patches,” Superion spokeswoman Carol Matthieu said in an email. “At this time, we have no evidence showing that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations. Superion does not control our customers’ networks, so we recommend citizens contact their municipality or county if they have any questions related to security.”
Wellington and other governments have filed reports with law enforcement as the breaches arise. On Tuesday, the village released its report to the Palm Beach County Sheriff’s Office, which has information previously released by Wellington including a timeline of when the breach was discovered and the initial report that only utilities customers were affected. Through forensic analysis by third-party vendor the Sylint Group, Wellington learned the five other departments were affected. Sylint also narrowed Wellington’s breach timeline from July 2017 to February, instead to Nov. 28, 2017, to June 4.
• Lake Worth: April 3, 2017 to Jan. 22
• Goodyear, Ariz.: June 13, 2017 to May 5
• Oceanside, Calif.: July 1 t0 Aug. 13, 2017
• Beaumont, Texas: Aug. 1-24, 2017
• Ormond Beach: Aug. 14 to Oct. 4, 2017
• Fond du Lac, Wis.: August to October, 2017
• Wellington: Nov. 28, 2017 to June 4
• Okaloosa County: December 2017 to March
• Midland, Texas: December 2017 to June
• Thousand Oaks, Calif.: Jan. 4-10
• Midwest City, Okla.: May 25 to June 21
• Oxnard, Calif.: March 26 to May 29, 2017
What to do
Have you been affected by a data breach? Wellington recommends following these steps:
• Review credit card statements and report unauthorized charges, no matter how small, to the card issuer.
• Ask your credit card issuer or bank to deactivate your card and issue a new card.
• Request a fraud alert on your credit file. This will tell creditors to contact you before opening new accounts or changing existing accounts.
• Request credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your credit reports, the Federal Trade Commission recommends that you check your credit reports periodically. Equifax: Equifax.com or 800-525-6285; Experian: Experian.com or 888-397-3742; TransUnion: Transunion.com or 800-680-7289.