Questions loom over unpatched Click2Gov payment software as it continues to wreak havoc in the United States

  • Click2Gov payment software is widely used by several government agencies in the United States.
  • In 2017 and 2018, hackers had compromised about 300,000 cards - that netted them approximately $2 million - just by exploiting flaws in Click2Gov.

Failing to patch vulnerable software on time can result in unwanted consequences. Such is the case with the Click2Gov payment software which is widely used by several government agencies in the United States. Given its significant use across counties and cities, Click2Gov has been the target of numerous breaches. In 2017 and 2018, hackers had compromised about 300,000 cards - that netted them approximately $2 million - just by exploiting flaws in Click2Gov.

In 2019, the threat continues to grow as cybercriminals massively breach the software to affect numerous residents and their bank accounts. Here’s a glance at how Click2Gov has played a major attack channel to affect different cities’ utility bill payment process meant for their customers.

Reckoning the impact due to vulnerable Click2Gov

The personal information of Hanover County, Virginia, was compromised after an unauthorized party stole the credit card information from the payment portal between August 1, 2018, and January 9, 2019. The exposed information included customer names, credit card numbers, and expiration dates.

The City of Saint John was forced to shut down the Click2Gov server after it’s information technology staff learned that the server - used for collecting parking ticket fines - was infected with malware for the past 18 months. The incident had affected the payment and personal details of as many as 6,000 people, who paid their fines using credit cards.

The vulnerable payment processing software also impacted eight cities in the U.S, allowing attackers to compromise more than 20,000 payment card records. The affected cities were Deerfield Beach, Palm Bay, Milton and Coral Springs in Florida; Bakersfield, California; Pocatello; Broken Arrow, Oklahoma; and Ames, Iowa.

A security breach at the City of Pocatello also witnessed the compromise of credit card payment details of around 3,500 residents. The affected resident had made their utility payments through the Click2Gov payment portal.

The City of College Station Utility Customer Service Department warned its customers about a potential data breach due to a security issue with Click2Gov. The breach occurred between July 31 and November 15.

The City of Dothan also saw a data breach due to a vulnerability in Click2Gov. The officials claimed that the incident had affected over four thousand credit and debit cards used to make online utility payments.

Unauthorized access Click2Gov server also affected the Cucamonga Valley Water District (CVWD) customers between August 26 and October 14, 2019. Officials suspect that the server may have exposed customers’ billing information to theft.

The Water Department of Fort Worth, Texas, notified 3,000 customers that their payment information may have been exposed during a data breach that involved the Click2Gov software. The utility reported that payments made between August 27 and October 23, 2019, were included in the breach and content exposed included cardholder’s name, credit card billing address, credit card number, card type, credit card security code (CVV) and card expiration date.

The City of Odessa also admitted a data security incident that took place between August 27 and October 14. The city used the third-party software Click2Gov to provide customers with the ability to pay utility bills via the internet. The incident had affected some customers’ credit/debit information.

The City of Waco is the latest addition to the wave of Click2Gov breaches in 2019. The city warned residents about the compromise of their online payments after hackers managed to breach the third-party online payment software and planted a malicious code to siphon off sensitive data between August 30 and October 14, 2019.