Another Municipality with Issues
Government entities tend to have a unique situation. The entity has a set amount of revenue received annually. There are fluctuations with this as property values and taxes fluctuate and other sources of fees are collected. These adjustments are not significant. With the limited resources, the government entities have to plan for activities through the year. These usually cost money and don’t allow for a mass amount of changes. There are also the random events that occur that we try and plan for, which also are an expense unless these are certain events covered by the insurance.
City Payment System Breach
The city uses a system to collect payments from its citizens, much like any other. This makes the citizens paying fees a bit easier for them. This system may be done online and in-person. These payments may be for utilities, municipal court fines, and fees. Due to an unknown issue, the system was compromised. The successful attack allowed these persons to take the user’s credit card information including the credit card numbers, security codes, and expiration dates. Unfortunately, along with this, the user’s first name, last name, middle initial, address, city, state, and zip codes were stolen. The only benefit from this situation is not every citizen was affected. This fortunately excluded the citizens that paid at the 24 hour kiosk with a credit card, and those who paid with a credit card over the phone with the IVR system.
Timing
Breach periods vary for each circumstance. These could vary immensely based on the monitoring, configuration, InfoSec teams, and too many other factors to take into note. In this circumstance, the period was approximately eight weeks, from June 18-August 22, 2018. Once the city was notified, the payment system was shut down. The payment system was provided by Superion. The service was Click2Gov software. After the notification, the city began to work with Superion to review the client’s data to ensure it was not affected, or modified. As a result of this, the city did implement additional security features.
Follow-Up
As to be expected, the city contacted the pool of potentially affected persons. The city is notifying the affected persons to review their credit card statements for any unauthorized charges. Additionally, the users may ask the credit card company to deactivate their card and request a replacement. To monitor the accounts for fraud, the users are also able to request a fraud alert to be placed on their account.
Even though this is being investigated, there are still many questions surrounding the issue, involving who or which group breached the system. Also the credit card processor, Superion, only has a portion of the credit card payments being affected. Did they have two different systems to process the different types of payments? Also why didn’t their InfoSec team have a clue this occurred? There had to be a relatively significant amount of traffic to exfiltrate this. This should have shown up with the logs. This is notable as the U.S. Secret Service had to notify the city.
Resources
City of Tyler. (2018). Click2gov payment system security breach. Retrieved from http://www.cityoftyler.org/Departments/TylerWaterUtilities/WaterBillingOffice/PayingYourBill.aspx
Kirst, K. (2018, September 10). What you can do to protect your information. Retrieved from http://knue.com/city-of-tylers-online-payment-system-breached-what-you-can-do-to-protect-your-information/
Mansfield, E. (2018, September 10). U.S. secret service reported software back to city of tyler. Retrieved from https://tylerpaper.com/news/local/u-s-secret-service-reported-software-hack-city-of/
Terry, C. (2018, October 10). City of tyler’s click2gov payment system breached. Retrieved from http://www.kltv.com/story/39060322/city-of-tylers-click2gov-payment-system-breached
Wood, C. (2018, September 10). City of tyler notified of payment system breach. Retrieved from https://www.easttexasmatters.com/news/local-news/city-of-tyler-notified-of-breach-for-system-to-collect-utility-and-court-fee-payments/1431720813
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.