Waco: Online water payment portal breached, card data possibly captured
Waco’s online water payment portal Click2Gov was breached and payment cards entered between Aug. 30 and Oct. 14 may have been captured by a piece of malicious code inserted by hackers, the city said Wednesday.
"Unfortunately, this is something that happens in the credit card world," said Larry Holze, spokesman for the City of Waco.
The city is reviewing security policies and procedures and working with the FBI in an ongoing criminal investigation.
The third-party vendor that manages the system notified the city on Nov. 8 “that alterations to the vendor’s application code could have enabled the unauthorized copying of payment card information from the city’s internet browser window during certain payment transactions,” the city said in a press release Wednesday.
The city hired third-party forensic investigators who determined that the malicious code inserted into the site could have captured payment card information between Aug. 30 and Oct. 14 including names, addresses, card numbers, expiration dates and CVV numbers.
"The only information compromised would be the credit card information, the city does not keep credit card information, we do not keep any personal data, social security numbers, things like that," said Holze.
Holze says the 4-5 weeks of exposure happened during a temporal building period.
“The city has worked diligently to identify those individuals who may have made payments during the affected period. We also worked with the third-party vendor responsible for the payment application to ensure the security of the Click2Gov website moving forward,” the city said in the press release.
“Additionally, we took steps to confirm and further strengthen the security of our systems, including our online utilities payment portal,” the city said.
Holze says they receive about 12,500 online payments through the portal monthly.
The ones affected by the breach will receive letters this week explaining the incident and the steps taken in response as well as recommendations for protecting personal information.
"We've sent out letters to all those people who they've been able to give us that have been compromised, in some fashion, asking them to be careful and watch their statements and make sure something doesn't show up," said Holze.
Holze says more than 8,000 letters have been sent out.
No credit card payments made in-person at the Water Office were involved, Holze says, however, the city is encouraging all Waco residents to monitor all financial transactions/statements and promptly report any suspicious or unusual charges to the relevant banking institutions.
The city has set up a dedicated assistance line for residents with questions, which will be staffed from 8 a.m. to 8 p.m. Monday through Friday.
The number is 833-947-1419.
Holze wasn't aware of any reported victims thus far.
Waco wasn't the only city-system hacked: there was an even larger data breach reported recently with the same vendor in College Station.
"They handle the online payments for a number of cities across the country," Holze said of the vendor.