ALL SYSTEMS GO FOR ONLINE PAYMENTS IN WELLINGTON
Meanwhile, two similar Click2Gov breaches turn up in Oklahoma, Texas.
WELLINGTON — The village’s online-billing system is safe to use, Wellington said Tuesday, as reports surfaced of similar breaches in two other cities in the United States.
The Palm Beach Post reported last week that at least nine other local governments have experienced breaches of billing vendor Superion’s Click2Gov systems. Wellington reported its breach June 7 after being notified the previous day of vulnerabilities in its system.
Also Tuesday, reports revealed two more Click2Gov breaches similar to that experienced by Wellington and other cities, in Midwest City, Oklahoma, and Midland, Texas.
Midwest City said it learned of a potential breach Thursday. “Upon discovery, staff immediately began an investigation and contacted our utility payment vendor, Superion,” the city said in a news release.
The breach there affected up to 2,300 utility customers who made credit or debit card payments using Click2Gov between May 25 and June 21, the city said. As with Wellington and other breaches, automatic payments and payments made via phone, checking account or in person were not affected.
Midwest City said the issue has been corrected and its Click2Gov system is back online.
The breach in Midland lasted longer, that city said in a Monday news release, stretching from December 2017 to this month. Officials there were notified of the potential breach Friday and, once again, it affected one-time credit and debit card payments. Midland shut down its server and expects it to be online in the coming days, the city said.
In its news release, Midland
pointed to other cities’ Click- 2Gov services that have been affected by breaches. “The vulnerability in Superion’s Click2Gov function is believed to be widespread,” the city said.
Superion has s aid the breaches have affected only local governments that host their own Click2Gov servers on site, not those who pay more to use servers at Supe- rion’s data centers or on its cloud service.
“To date, Superion has deployed the necessary patch to our software and a related third-party component, and over 99 percent of these customers have applied these patches,” Superion spokes- woman Carol Matthieu said in an email. “At this time, we have no evidence showing that it is unsafe to make pay- ments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations. Superion does not control our customers’ networks, so we recommend citizens contact their municipality or county if they have any questions related to security.”
Wellington and other governments have filed reports with law enforcement as the breaches arise. On Tues- day, the village released its report to the Palm Beach Cou nty Sheriff’s Office, which has information previously released by Welling- ton, including a timeline of when the breach was discovered and the initial report that only utilities customers were affected. Through forensic analysis by third-party vendor the Sylint Group, Wellington learned the five other departments were affected. Sylint also narrowed Wellington’s breach timeline from July 2017 to February, instead to Nov. 28, 2017, to June 4. Related breaches
■ Lake Worth: April 3, 2017, to Jan. 22
■ Goodyear, Ariz.: June 13, 2017, to May 5
■ Oceanside, Calif.: July 1 to Aug. 13, 2017
■ Beaumont, Texas: Aug. 1-24, 2017
■ Ormond Beach: Aug. 14 to Oct. 4, 2017
■ Fond du Lac, Wis.: August to October 2017 ■ Wellington: Nov. 28, 2017, to June 4
■ Okaloosa County: December 2017 to March
■ Midland, Texas: December 2017 to June
■ Thousand Oaks, Calif.: Jan. 4-10
■ Midwest City, Okla.: May 25 to June 21
■ Oxnard, Calif.: March 26 to May 29, 2017