Skip to main content

As many as 6,000 people in Saint John, N.B., could have had their personal information exposed, an analyst group said as the city announced it was one of dozens of municipalities affected by a data breach to its online parking ticket payment system.

The city said it learned about a breach to the third-party software product Click2Gov, run by CentralSquare Technologies. . The product gives customers the option to pay parking tickets through the city’s website.

In an e-mail, Saint John spokeswoman Lisa Caissie said CentralSquare Technologies is conducting an investigation, which will involve a forensic analysis.

Story continues below advertisement

“Understanding the extent of the breach to the Click2Gov software is a priority,” she said, adding that a third-party cybersecurity provider will also conduct an independent review and further updates will be provided as more information becomes available.

In the meantime, the city’s payment site has been shut down, and Saint John staff advise anyone who believes they could be affected to closely monitor their financial accounts and contact their bank if they see any unauthorized activity.

CentralSquare Technologies could immediately be reached for comment Saturday.

The breach in Saint John is part of a much larger issue, said cybersecurity researcher Stas Alforov.

A recent report from Alforov, director of research and development for Gemini Advisory, said the firm discovered that nearly 300,000 payment records had been compromised from 46 North American cities – including about 6,000 from Saint John – since 2017.

Saint John is the only Canadian city involved in the breach, with the rest coming from the U.S.

“Our analysis shows that all breaches are part of the larger hacking operation conducted by the same hacking group, and are not random in nature,” the report said.

Story continues below advertisement

Gemini Advisory, which collects information from criminal marketplaces and supplies it to financial institutions, first began digging into the suspected breaches when they noticed an unusual pattern of credit card information being posted online for sale.

Alforov said he noticed allegedly stolen credit card information for sale online coming from smaller communities scattered across North America, rather than in the more typical urban centres.

Through further digging, Gemini Advisory linked these cases with other instances of alleged data breaches from Click2Gov.

After posting his findings on Gemini Advisory’s website, Alforov said he received a call from the city of Saint John.

“They said, ‘We weren’t actually aware of this,’ and I said, ‘That’s understandable, yet it appears you guys were breached back in 2017 in September,’” he said.

“I’ve been seeing new cards uploaded, about 1,000 cards about every few months, from 2017 to early November of 2018.”

Story continues below advertisement

He said that not all the cardholders were from Saint John: if someone came from out of town and had gotten a ticket in Saint John, their information may have been compromised as well. The same would go for all of the other cities involved in the breach.

Alforov said he gave the city the names of those affected, and has provided the names of the dozens of municipalities involved to both law enforcement and Click2Gov.

He noted that CentralSquare Technologies was not always immediately aware of the breaches. He added that the company had previously told him that the affected systems were all locally-hosted, and their cloud-based software was not affected.

The company had also deployed a patch for the system, Alforov said, yet the vulnerability remained.

Alforov said it’s important for the municipalities to be aware of the software they’re using and how to keep it up to date, while it’s on the software provider to keep the end user informed about their product.

“We can’t really point our fingers at just Click2Gov, or just the municipality; it’s kind of a joint problem, in a sense,” he said.

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter