On Thursday, June 7, Wellington officials informed residents of a possible data breach within the village’s online payment system.
According to the notice released to the public, Wellington was informed of the issue on Wednesday, June 6, when they received a phone call from the village’s payment vendor, Superion.
Superion explained that their software — which is utilized by municipalities nationwide — had potentially been compromised. More specifically, the village’s system was experiencing vulnerabilities within its Click2Gov server.
Click2Gov is the payment server used by anyone making online payments for code, building, business licenses, parking tickets and utilities. The original statement focused specifically on the village’s water utility payment system. However, further investigation has determined that other Click2Gov payments may also have been compromised.
“Click2Gov was the only thing affected by this breach,” Bill Silliman, Wellington’s chief technology officer, told the Wellington Village Council on Tuesday, June 12.
One of the most important things to note about the data breach is that it affected only people who made one-time, online payments through Click2Gov sometime between February 2017 and February 2018. Residents who have automatic recurring payment plans on the village’s online payment portal are not affected by this breach.
Silliman explained the timeline of the village’s actions after finding out about the potential breach, and the ways in which Superion’s system issues affect Wellington and anyone who has used the online payment system.
According to Silliman, though the village was informed of the hacking on June 6, Superion had performed diagnostics that confirmed system vulnerabilities back in April. When Silliman inquired for more information, it became clear that Superion lacked a lot of details as to how the hacking happened in the first place.
“There was some type of scan that was run on April 30, and it was on June 6 that they called us at 2 p.m. So, I said, ‘What happened between the time you did the scan and calling us?’ There was no real answer on that,” Silliman said.
Silliman explained that, instead of waiting for answers, the village shut down all online payment servers within an hour of receiving the phone call from Superion, and completely rebuilt a new and secure server over the weekend following the news of the hacking.
Silliman went on to explain what the hackers did in order to retrieve the confidential credit card information off the vendor’s payment server.
“What happened is that there was a vulnerability in the Click2Gov system that allowed hackers to get in there and drop web shells into it. [The web shells first] installed an application in which they were mining Bitcoins, and through which they saw they had remote access and capabilities to drop an additional web shell that was a card number capture device. If there was anybody who made a one-time payment and typed their card information in, it was grabbing it and putting it into a file,” Silliman said.
A web shell is an archive that can be uploaded to a private system, enabling hackers to have complete control over the web server and access to all information put onto it.
Silliman emphasized that the hackers were looking for one-time credit card online payments only. Meaning, anyone who has an online automatic payment set up, or anyone who paid with an e-check or a routing bank account number, was not compromised in this breach. “It was only looking for credit card information. It was not looking for or capturing e-checks or account numbers,” he stressed.
Silliman explained that the hacking could not grab the information of anybody who had their card information saved on the web site’s wallet or was set up for automatic payment. “It was for one-time payments only made through credit or debit cards,” he said.
Silliman also asked Superion which other municipalities were affected by the breach, but they did not give an answer. From Silliman’s research, though, he found that two cities in California — Oxnard and Thousand Oaks — were the most recently affected.
Village Manager Paul Schofield said that the village has been experiencing unpredictable issues with its payment vendor, but it is working actively to inform residents of the situation in order to avoid any more issues. He said that the village had already been planning to change vendors before the system compromise happened.
“We’ve been working with [Superion] for a long time, and we noticed over time that they became less responsive,” he said. “We started to move over to a new software last year.”
The payment server has now been rebuilt and it is safe to use, though in-person or phone payments are also always an option.
“This is an embarrassment to us,” Mayor Anne Gerwig said. “We know that. We feel like we’ve disappointed the public in this. But we’re doing everything we can to correct it.”
The village staff and the council urged anyone who made a one-time, online payment with the village within this time frame to call their banks and get a new credit card, as well as monitor their credit cards closely.
“Sometimes those [credit card] numbers stay out there,” Gerwig said. “Hackers don’t use them right away, so just because you haven’t noticed unusual activity on your credit card, if you meet this criteria, you need to shut your credit card down.”
The village’s original statement from June 7 urged residents to take the following precautions:
• Review any credit card statements closely and report any unauthorized charges, no matter how small, to the card issuer immediately.
• Ask your credit card issuer to deactivate your card and issue a new card.
• Request a fraud alert to be placed on your credit file through one of the major credit bureaus.
• Request that credit reports from all three major credit bureaus be sent to you, free of charge, for your review.