Saint John Parking Ticket System Data Breach Impacts Users

At least 6,000 people in Saint John, N.B., have been affected by a data breach that impacted the municipality’s online parking ticket system.

Alex Cooke of the national news agency The Canadian Press reports, “As many as 6,000 people in Saint John, N.B., could have had their personal information exposed, an analyst group said as the city announced it was one of dozens of municipalities affected by a data breach to its online parking ticket payment system.”

The report also reveals that the city has learned about a breach to the third-party software product Click2Gov; HackerCombat has already reported about the stealing of data from local Click2Gov government systems across US cities. Click2Gov, which is run by CentralSquare Technologies, gives people options to make online payments and avail of many government services. The Saint John online parking ticket system, which functioned through this software, allowed people to pay parking tickets through the city’s website.

Saint John spokeswoman Lisa Caissie has clarified that an investigation is already being conducted by CentralSquare Technologies.

The city’s payment site has meanwhile been shut down. People who suspect that they could have been affected have been advised to monitor their financial accounts and contact their bank upon seeing any kind of unauthorized activity.

Cybersecurity researcher Stas Alforov, Director of Research and Development at Gemini Advisory, had reported that the security firm had recently discovered that almost 300.000 payment records had been compromised in a breach that impacted Click2Gov Software. The breach panned 46 cities in the U.S and one in Canada (Saint John) and had been taking place since 2017. Thus, the breach that has impacted the online parking ticket payment system in the Canadian city is just a small part of a much larger issue.

Gemini Advisory started investigating the suspected breaches after noticing an unusual pattern of credit card information (a concentration of victims located in small-to-medium US cities) being put up for sale online. Stas Alforov writes, “Further analysis of the card data linked to these locations and collaboration with partner banks have determined that records likely been stolen from local municipal services that license Click2Gov software, a popular payment technology primarily used by local governments to receive various payments from their residents.”

Stas Alforov had written on the Gemini Advisory website that in the breach that panned 46 cities in the U.S and one in Canada, at least 294,929 payment cards were impacted. He pointed out that “…less than 50% of the affected cities have identified or reported a compromise in their utility payment system.” He adds, “Breached payment card data was linked to over 1000 financial institutions, with 65% of stolen records associated with the top 20 affected banks.”

After Alforov had posted details of the findings, he reportedly received a call from the city of Saint John explaining that they weren’t really aware of the breach.

The breach, which had been taking place from 2017, impacted not just cardholders from Saint John. It would have impacted those people also who came from out of town and had gotten a ticket in Saint John and thus their information may also have been compromised. (This is applicable to all the cities impacted by the breach!)

CentralSquare Technologies (formerly known as Superion), the developers of the Click2Gov software, was not aware earlier of the breaches, as per reports. Gemini Advisory shared details with CentralSquare as well as with Federal Law Enforcement.

The Gemini Advisory post reads, “According to CentralSquare Technologies, the initial vulnerability which was identified in 2017 had been successfully mitigated, with all users being advised to deploy the software patch as soon as possible. However, it appears that the attackers uncovered another undetected vulnerability, which has yet to be patched.”

In his report, Alex Cooke of The Canadian Press writes, “Alforov said it’s important for the municipalities to be aware of the software they’re using and how to keep it up to date, while it’s on the software provider to keep the end user informed about their product.”