As many as 6,000 people in Saint John, N.B., could have had their personal information exposed, an analyst group said as the city announced it was one of dozens of municipalities affected by a data breach to its online parking ticket payment system.
The city said it learned about a breach to the third-party software product Click2Gov, run by CentralSquare Technologies. . The product gives customers the option to pay parking tickets through the city’s website.
In an e-mail, Saint John spokeswoman Lisa Caissie said CentralSquare Technologies is conducting an investigation, which will involve a forensic analysis.
“Understanding the extent of the breach to the Click2Gov software is a priority,” she said, adding that a third-party cybersecurity provider will also conduct an independent review and further updates will be provided as more information becomes available.
In the meantime, the city’s payment site has been shut down, and Saint John staff advise anyone who believes they could be affected to closely monitor their financial accounts and contact their bank if they see any unauthorized activity.
CentralSquare Technologies could immediately be reached for comment Saturday.
The breach in Saint John is part of a much larger issue, said cybersecurity researcher Stas Alforov.
A recent report from Alforov, director of research and development for Gemini Advisory, said the firm discovered that nearly 300,000 payment records had been compromised from 46 North American cities – including about 6,000 from Saint John – since 2017.
Saint John is the only Canadian city involved in the breach, with the rest coming from the U.S.
“Our analysis shows that all breaches are part of the larger hacking operation conducted by the same hacking group, and are not random in nature,” the report said.
Gemini Advisory, which collects information from criminal marketplaces and supplies it to financial institutions, first began digging into the suspected breaches when they noticed an unusual pattern of credit card information being posted online for sale.
Alforov said he noticed allegedly stolen credit card information for sale online coming from smaller communities scattered across North America, rather than in the more typical urban centres.
Through further digging, Gemini Advisory linked these cases with other instances of alleged data breaches from Click2Gov.
After posting his findings on Gemini Advisory’s website, Alforov said he received a call from the city of Saint John.
“They said, ‘We weren’t actually aware of this,’ and I said, ‘That’s understandable, yet it appears you guys were breached back in 2017 in September,’” he said.
“I’ve been seeing new cards uploaded, about 1,000 cards about every few months, from 2017 to early November of 2018.”
He said that not all the cardholders were from Saint John: if someone came from out of town and had gotten a ticket in Saint John, their information may have been compromised as well. The same would go for all of the other cities involved in the breach.
Alforov said he gave the city the names of those affected, and has provided the names of the dozens of municipalities involved to both law enforcement and Click2Gov.
He noted that CentralSquare Technologies was not always immediately aware of the breaches. He added that the company had previously told him that the affected systems were all locally-hosted, and their cloud-based software was not affected.
The company had also deployed a patch for the system, Alforov said, yet the vulnerability remained.
Alforov said it’s important for the municipalities to be aware of the software they’re using and how to keep it up to date, while it’s on the software provider to keep the end user informed about their product.
“We can’t really point our fingers at just Click2Gov, or just the municipality; it’s kind of a joint problem, in a sense,” he said.