Cyber Expert Explains Broken Arrow's Data Breach

Local tech experts are weighing in on the Click2Gov possible data breach that has the City of Broken Arrow's online payment system temporarily shut down. Experts say the software has been hacked at least one other time impacting the information of families.

"This is the curse of the 21st century, you are at the mercy of other people for protecting your information," says the University of Tulsa’s Dr. John Hale.

Tech experts said they have to consider the background and history of the software they decide to use while also recognizing there is no such thing as completely secure software.

If you go to the City of Broken Arrow's website to pay a utility bill or court fine you will run into a problem. Click2Gov, the software the city uses for those payments is temporarily shut down because of a possible data breach.

"It could be your data, it could be personal information, could be financial information, data they shouldn’t have access to, they just want it because it is marketable," says Dr. Hale.

The city says it was made aware of a possible data breach involving Click2Gov. It’s working with CentralSquare the parent company, to determine the scope of the breach. An investigation is ongoing.

“It looks like the attackers were able to upload a program that would let them basically steal credit card information, and then get it back out where they could sell it or use it themselves," said Dr. Hale.

Doctor John Hale, with the University of Tulsa, says this isn’t the first time Click2Gov has been attacked.

According to tech sites, this is the first time a possible breach has included Broken Arrow.

"It seems like there has been at least one previous attack on a number of cities and I think some of the cities were attacked again on the second or third wave," said Dr. Hale, "It is deployed in places that are particularly vulnerable because they don't have fortune 500 budgets to do security the way JP Morgan might."

The city says about 6,000 people in Broken Arrow use Click2Gov a month to pay their utility bills. About 300 people a month, use the software to pay court fines. It is not sure how much, if any, personal information was compromised in the breach, but Click2Gov says only a small number of customers have reported issues.

"In terms of what the municipalities and the government were responsible for, their systems were okay they were patched adequately- it was a vulnerability in the software that enabled this attack and that is the responsibility of the company that sells the software," said Dr. Hale.

The City of Broken Arrow released this statement:

“The City of Broken Arrow takes cyber-security very seriously. The City works daily to secure its online systems to the highest extent possible and safeguarding its citizen’s financial information is the City’s highest priority.

The City was made aware of a possible data breach involving Click2Gov, a third party payment software system that processes some payments on behalf of the City.

The City is currently working with CentralSquare, the parent company of Click2Gov, and other third-party experts to determine the scope of the possible data breach.

An investigation is ongoing. Once the investigation is complete, all potentially impacted parties will be notified as required by the law.”

CentralSquare also released this statement (Click2Gov parent company):

“Local government and public safety agencies are under constant threat of cyberattack. Protecting our customers and their data is one of our most important goals at CentralSquare.

We have recently received reports that some consumer credit card data may have been accessed by unauthorized or malicious actors on our customers’ servers. It is important to note that these security issues have taken place only in certain towns and cities.

We have immediately conducted an extensive forensic analysis and contacted each and every customer that uses this specific software, and are working diligently with them to keep their systems updated and protected. At this time, only a small number of customers have reported unauthorized access.

For security and confidentiality reasons, we cannot disclose any information about our customers, their environments or their security.

Meanwhile, we continue our efforts in helping our customers to swiftly resolve this matter. We are working closely with forensic security experts and investigative agencies.”