The City of Bend, Ore., announced Jan. 8 a data security incident may have compromised credit card information of some city utility customers.
Bend learned about the potential incident, which impacts customers who either made a one-time utility bill payment or enrolled in auto-pay with a credit or debit card between Aug. 30 and Oct. 14 of last year, from CentralSquare. The third-party vendor manages the city’s online utility payment portal, known as Click2Gov.
CentralSquare found “that malicious code may have been inserted into the Click2Gov software which could have allowed an unauthorized party to copy personal payment card information from customers who logged into the system to make a one-time credit card payment or to enroll in auto pay between August 30, 2019 and October 14, 2019.”
The city reported that data impacted includes the cardholder’s name, card billing address, card number, card type, card security code, and card expiration date. Luckily, the city reported that Social Security numbers and government-issued identification numbers were not compromised. Additionally, auto-pay customers that signed up prior to Aug. 30 or after Oct. 14 were not impacted.
“Data privacy and security for our customers are high priorities, and we are taking this situation very seriously,” said Chief Innovation Officer Stephanie Betteridge. “We are doing everything we can to mitigate the situation, serve our customers and protect against future incidents.”
In a release, Bend said it has worked with CentralSquare to remove the malicious code from Click2Gov and has implemented “additional security measures to help mitigate future risk.” The city further noted that the incident involved Click2Gov’s software and “was not due to a vulnerability of the City’s infrastructure, systems, or security.” Bend also said that it “has plans in place to migrate to a new payment processing services provider in the near future.”
In the meantime, the city is working with CentralSquare, a third-party forensic investigator, outside legal counsel, and local and Federal law enforcement to evaluate the nature and scope of the incident. The city said that while the investigation into the incident is ongoing, the incident itself is not.
Customers impacted by the incident will be offered one year of credit and identity-monitoring services at no cost. The city did not say whether it or CentralSquare will be paying for the cost of the monitoring services.