Click2Gov Parking System in Saint John City, Canada Hacked For Two Straight Years

The public parking payment system used by Saint John, a port city in New Brunswick, Canada is the latest victim of zero-day exploits. Click2Gov payment system, which handles the city’s payment operations was attacked by hackers using zero-day exploits since May 2017. For almost two years, the city’s servers hosting the Click2Gov payment system has been infiltrated by known outsiders, exposing confidential customer information stored in the servers.

“Multiple instances when an unknown source gained access to confidential customer information on the city’s server through the Click2Gov payment system. This gives reason to believe that the breach could impact anyone who has paid a city-issued parking ticket over the past two years, from early 2017 to December 16, 2018,” explained the city’s spokesperson.

Apparently, the Click2Gov payment system infiltrated in the city of Saint John contains the following sensitive information about their customers:

• Full name
• Mailing address
• Credit card number and its expiry date
• Credit card security code

These information in aggregate is enough for threat actors to use in an identity theft activity. The city in itself has no IT forensic capacity to further probe the data breach, they discovered the infiltration using zero-day attacks with the help of a 3rd party cybersecurity consulting contractor hired by CentralSquare Technologies, the city’s technical partner which helps conduct the forensic investigation.

“This gives reason to believe that the breach could impact anyone who has paid a city-issued parking ticket over the past two years, from early 2017 to December 16, 2018,” added the city’s spokesperson.

At the time of this writing, Saint John port city’s parking payment system is turned-off and it will remain under the maintenance downtime for the entire duration of the investigation. “The city apologizes to customers who have been impacted by the data breach. Cyber attacks can happen at any time and the city makes every effort to protect the confidential information of all customers, citizens and employees,” concluded the city’s spokesperson.

Another cybersecurity consulting firm, Risk Based Security noted that the malware used for the zero-day attack was “very sneaky and quite hard to detect. This is clearly targeted by a highly skilled attacker who is well-versed in Click2Gov.” Central Square on their end has mentioned that they have patched the parking payment system, hence the zero-day flaw should have been fixed. “despite broad patch deployment the system remains vulnerable for an unknown reason … [I]t appears that the attackers uncovered another undetected vulnerability, which has yet to be patched,” said CentralSquare’s representative.

Click2Gov system is used by at least 600 clients in the United States and not just operating in Canada. They need to get their act together to ascertain that all their systems similar to the one deployed in Saint John are patch to address vulnerabilities. It is unfortunate, but there is a delicate balance between allocating and spending funds to find critical bugs in a system vs the capability of a service provider to make sure all their clients have a bug-free system. It requires aggressive patch management and change management in order to at least not to fall for known vulnerabilities, let alone a zero-day bug.