The data breach of a parking ticket payment system, first reported more than a week ago by the City of Saint John, is much larger than first expected.
On Monday, the municipal government said it has reason to believe that anyone who paid a city-issued parking ticket online from early 2017 to Dec. 16, 2018 could be impacted by the breach.
But a report by Stas Alforov of Gemini Advisory, a company specializing in analyzing cybercrime, indicates that at least 46 other municipalities across the United States have also been affected by the breach of a popular online payment system known as Click2Gov.
“With it being cross-country and it happening in so many (places), I’d definitely call it a substantial breach,” Alforov said in a telephone interview on Monday.
Saint John, which uses the Click2Gov system to process the payment of city-issued parking tickets, says it first learned of the breach on Dec. 21 and immediately took down the payment system before notifying the owner of Click2Gov, software company CentralSquare Technologies.
As a result, CentralSquare immediately engaged a private security analyst to begin a forensic analysis of the breach. That analysis is ongoing.
The city says the breach may have exposed residents’ personal details, including first and last names, addresses and credit card information.
Not an isolated incident
Alforov says Gemini Advisory monitors underground marketplaces that specialize in the sale of compromised financial data and that they first began to see a trend in data that didn’t fit their usual patterns.
“We first started seeing these large pockets of data from smaller cities as compared to larger cities, and then I began to pull the string further down the road and realized that the data was coming from two particular criminals,” Alforov said.
Their analysis points to two people acting as part of a larger hacking group that targeted the Click2Gov software — with the compromised financial information from the system first coming up for sale on underground markets as early as July 2017.
Some cities in the United States, such as Beaumont, Texas, learned about the data breach in 2017.
Alforov says the issues were first reported by local media as being isolated incidents involving Click2Gov rather than the more widespread issue the data breach now appears to be.
Simon Angove, the CEO of CentralSquare — formerly known as Superion — acknowledged the apparent security issue in 2017 but said in an updated statement June 15, 2018 that the security issue had been resolved.
Alforov says his analysis points to more than 2,940,000 payment records being compromised, with the criminals earning at least $1.7 million from the sale of that data.
WATCH: Global News coverage of cybersecurity issues
Saint John breach
Financial data connected to the Saint John breach reportedly first appeared online in September 2017, and Alforov says it appears his report first tipped off the City of Saint John that there was a breach in the Click2Gov system.
“Saint John reached out to us and basically said ‘you guys are claiming this breach has been happening since 2017 in our city, however we have no signs of this from our own analysis nor from Click2Gov before this,'” Alforov said.
Saint John confirmed that they did find out about the breach through Gemini Advisory on Dec. 21.
“At that time, CentralSquare Technologies was not aware that the breach to Click2Gov impacted the City of Saint John,” wrote Lisa Caissie, a spokesperson for the City of Saint John, in an email.
Alforov says Gemini Advisory has passed on its findings to CentralSquare as well as federal investigators in the United States.
CentralSquare wrote in an email on Wednesday that they continue their efforts to swiftly help their customers resolve the data breaches and that they have “diligently kept our customers informed while working with them to keep their local premise systems updated and protected.”
“For security and confidentiality reasons, we cannot disclose any information about our customers, their environments or their security, nor are we in a position to comment on any investigations,” the statement read.
What to do if you paid a parking ticket in Saint John
Customers who believe they’ve been impacted by the breach are asked to closely monitor financial accounts and, if any unauthorized activity is detected, promptly contact their financial institution.
The city also recommends affected individuals file a police report if they feel they’ve become a victim of identity theft.
Saint John says the online parking payment system will remain offline until it is “assured that user information is safe.”
In the meantime, anyone who receives a parking ticket is still expected to pay the fine, either in person, by phone or via email.