Nearly 300,000 people have had their personal data stolen in a breach of Click2Gov, a widely used government payment software.
Security research firm Gemini Advisory published a report on Tuesday (Dec. 18) that explained how vulnerabilities in Click2Gov have impacted citizens in dozens of towns across the United States. As a result, hackers were able to gain access to the payment networks, and steal credit and debit card data that residents have used to pay fines, taxes and for permits on town websites.
The report noted that at least 294,929 payment records have been compromised in 46 U.S. cities, with criminals generating $1.7 million from selling the data on the Dark Web.
Gemini Advisory Director of Research Stas Alforov said to Fortune that “Click2Gov has worked with many of the affected towns to patch the software, and that the” issues were due “in part because of a lack of sophistication on the part of municipal IT workers.” He added that while many of the towns have addressed the vulnerabilities, others have still left consumer data exposed.
This isn’t the first time Click2Gov has been hit with a security breach. In September, it was revealed that its servers were breached, most likely through a vulnerability in the portal’s web server that enabled attackers to upload malware and steal payment card data over “weeks to numerous months.”
In this instance, hackers uploaded a tool called FIREALARM to search for credit card data, while another malware called SPOTLIGHT was able to intercept credit card data from unencrypted network traffic. Credit card numbers, expiration dates and verification numbers — along with names and addresses — were stolen. It is unknown how many consumers were affected by the breach.
At the time, Click2Gov owner Superion issued patches, but said it was up to the local governments and municipalities to patch their servers to ensure that their residents were protected.