Cybersecurity and...Parking Tickets!
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
Here in the Meadow, parking really isn’t an issue. We only have the two meters, both in front of the city hall. Generally, our residents put their dimes in the meters and we are happy. From time to time Margie walks out from her office to write out a ticket. This happens so infrequently, Margie regularly misplaces her ticket pad.
This was not the case in Ames, Iowa. Regularly, visitors and residents receive tickets for parking violations. This tends to give the people a slight headache when they see the paper, waving in the wind beckoning the driver “Hello!” The city even has the option to pay these online.
Issue
Unfortunately, there was a data breach with the online payment system for their parking tickets (Click2Gov). The city learned of the compromise on November 18th or 19th, 2018, through their IT department. Once this occurred, the city notified Click2Gov. In response, the online parking ticket payment system was taken offline. The administrative actions for the issue involved replacing the web server. This service was brought back online on November 20th. Although the service was back online, the city is still reviewing the compromise to review what the vulnerability was allowing the successful attack.
Affected Parties
There were approximately 4,600 Ames, Iowa residents who paid their parking tickets to the city online using the provided service. The other city’s residents not using this service were not affected. The potentially affected residents were mailed the written notice and emailed the same.
Data Exfiltrated
The data for the residents included their data as provided when they were using the service. This included the first name, last name, mailing address, email address, and debit/credit card numbers. If there were to be an enterprising person who just happened to have this data, it may be useful for phishing, fraudulent credit card transactions, and other exciting activities. Due to this compromise, the affected persons will need to monitor their personal credit for years and years to come.
We have the opportunity to learn from this. For this application, a simple static review would be warranted, along with monitoring more closely the SIEM.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
Associated Press. (2018, November 30). City of ames warns of parking ticket system data breach. Retrieved from https://www.washingtimes.com/news/2018/nov/30/city-of-ames-warns-of-parking-ticket-system-data-b/
City of Ames. (2018, November 30). Data breach compromises parking ticket payment system. Retrieved from https://www.cityofames.org/Home/Components/News/News/5117/
Leeson, D. (2018, December 2). Ames parking tickets data breach could have compromised 4,600 motorists payment information. Retrieved from http://www.iowastatedaily.com/news/ames-parking-ticket-data-breach-could-have-compromised-motorists-payment/
Olenick, D. (2018, December 3). Ames, Iowa, parking ticket payment system breached. Retrieved from https:/www.scmagazine.com/home/security-news/ames-iowa-parking-ticket-payment-system-breached/
Tribune Staff. (2018, November 30). Data breach found in city’s parking ticket payment system. Retrieved from https://www.amestrib.com/news/2081130/data-breach-found-in-city8217s-parking-ticket-payment-system
U.S. News. (2018, November 30). City of ames warns of parking ticket system data breach. Retrieved frm https://www.usnews.com/news/best-states/iowa/articles/2018-11-30/city-of-ames-warns-of-parking-ticket-system-data-breach
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.