Today is a slow news day for the credit function as many issuers deploy their year-end strategy to clean up their collection queues as we start 4Q18. For some it may be too little, too late. Others will find that scrubbing their files and negotiating payment plans will be worth the effort to reduce credit risk.
Fraud on the other hand, never sleeps. Morning, noon and night, attacks come against data stores. Even the sleepy town of St. Petersburg, FL saw an attack. This brought us to find that many local governments using Click2Gov payment systems have seen data breaches.
It is convenient to pay your water bill online through a site like this but somewhere along the payments chain is a gaping hole, as Google validates when the word pair “Click2Gov” and breach are submitted into a search. Today, it returned 7,168 responses. Some are from local news picking up reports, others are from towns and cities like St. Petersburg.
Dark Reading, a trade journal focused internet threats, called out a WebLogic Application Flaw.
- At least 10 US cities running Click2Gov software have alerted citizens to a data breach, but it turns out the problem was in the application server.
- A discovery has been made regarding a series of security incidents in US cities using an online billing software called Click2Gov. Over the past year, at least 10 cities running the software have alerted citizens to data breaches. It turns out Click2Gov’s program wasn’t being attacked.
- Risk Based Security’s Inga Goddijn noticed a pattern of Click2Gov, a product of Superion Software, appearing in breach notification letters. The notifications came from cities across the United States, which reported both data breaches and the installation of cryptocurrency miners. Oxnard, Calif. was most recently breached; its incident occurred on May 25.
Click2Gov’s parent responded that it was the Oracle connection through WebLogic that was likely the entry point for hackers.
- Further investigation by Superion showed the attackers didn’t break in through Click2Gov but through third-party software needed to use it: Oracle’s WebLogic application server. The WebLogic vulnerability has been patched and since the crux of the problem is not within Click2Gov, cities running the cloud-based version of the software have not been affected, according to a Codebook report.
Whether it be Click2Gov’s fault, or Oracle’s, this affects credit card carrying residents in towns from St. Pete, FL to Medford, Oregon.
Nothing is sacred when it comes to credit card fraud. You can’t even pay for parking tickets and water without worrying anymore.
Overview by Brian Riley, Director, Credit Advisory Service at Mercator Advisory Group