www.canadiansecuritymag.com

News Data Security
Up to 6,000 people’s personal info may have been exposed after data breach in Saint John

SAINT JOHN, N.B. — As many as 6,000 people in Saint John, N.B., could have had their personal information exposed, an analyst group said as the city announced it was one of dozens of municipalities affected by a data breach to its online parking ticket payment system.


December 28, 2018
By The Canadian Press

Topics

The city said it learned about a breach to the third-party software product Click2Gov, run by CentralSquare Technologies. The product gives customers the option to pay parking tickets through the city’s website.

The city said it has contacted CentralSquare Technologies to investigate the breach.

In the meantime, the city’s payment site has been shut down, and Saint John staff advise anyone who believes they could be affected to closely monitor their financial accounts and contact their bank if they see any unauthorized activity.

“The City of Saint John takes protection of our data systems very seriously and sincerely apologizes for the inconvenience this incident may have caused,” a news release on the city’s website said.

Neither the city of Saint John nor CentralSquare Technologies could immediately be reached for comment Saturday.

The breach in Saint John is part of a much larger issue, said cybersecurity researcher Stas Alforov.

A recent report from Alforov, director of research and development for Gemini Advisory, said the firm discovered that nearly 300,000 payment records had been compromised from 46 North American cities — including about 6,000 from Saint John — since 2017.

Saint John is the only Canadian city involved in the breach, with the rest coming from the U.S.

“Our analysis shows that all breaches are part of the larger hacking operation conducted by the same hacking group, and are not random in nature,” the report said.

Gemini Advisory, which collects information from criminal marketplaces and supplies it to financial institutions, first began digging into the suspected breaches when they noticed an unusual pattern of credit card information being posted online for sale.

Alforov said he noticed allegedly stolen credit card information for sale online coming from smaller communities scattered across North America, rather than in the more typical urban centres.

Through further digging, Gemini Advisory linked these cases with other instances of alleged data breaches from Click2Gov.

After posting his findings on Gemini Advisory’s website, Alforov said he recieved a call from the city of Saint John.

“They said, ‘We weren’t actually aware of this,’ and I said, ‘That’s understandable, yet it appears you guys were breached back in 2017 in September,'” he said.

“I’ve been seeing new cards uploaded, about 1,000 cards about every few months, from 2017 to early November of 2018.”

He said that not all the cardholders were from Saint John: if someone came from out of town and had gotten a ticket in Saint John, their information may have been compromised as well. The same would go for all of the other cities involved in the breach.

Alforov said he gave the city the names of those affected, and has provided the names of the dozens of municipalities involved to both law enforcement and Click2Gov.

He noted that CentralSquare Technologies was not always immediately aware of the breaches. He added that the company had previously told him that the affected systems were all locally-hosted, and their cloud-based software was not affected.

The company had also deployed a patch for the system, Alforov said, yet the vulnerability remained.

Alforov said it’s important for the municipalities to be aware of the software they’re using and how to keep it up to date, while it’s on the software provider to keep the end user informed about their product.

“We can’t really point our fingers at just Click2Gov, or just the municipality; it’s kind of a joint problem, in a sense,” he said.

— By Alex Cooke in Halifax

News from © Canadian Press Enterprises Inc. 2018