Superion (Click2Gov) Now DBA Central Square Technologies Data Breach (2017)

This is a rather unique case, given the length of time the breach notices came out. There is a second round as well, separated by enough time to make it likely a second actual incident, and will be coded as such. This incident invovled many partner's data, and is thus coded from the partner's perspective rather than having one incident per reporting partner, which would inflate the breach count in error. Here is an excerpt explaining what happened from the City of Oxnard's notice to customers. "On May 22, 2018, the city received a call from a banking institution advising that some of their credit card holders experienced fraudulent purchases on their accounts and these were the same cards used to pay their City of Oxnard utility bills with its Click2Gov (Superion) online payment system. Upon discovery, the City immediately reported the issue to the Police Department and Superion, which engaged a third-party forensic firm to determine what happened and what information may have been affected. Superion alerted the City to a software vulnerability that had the potential to allow an unauthorized individual to gain access to the computer used to process credit card transactions. Security patches were applied by Superion on a new server to eliminate the vulnerability with the thought that the issue was resolved. On May 29, 2018, Superion informed the City of additional security controls that were required to secure the system. The City shut down the system immediately so these security controls could be implemented. Even though the vendor’s investigation could not specifically confirm or verify the exact method by which any credit card data could have been compromised, the City has decided to notify customers out of an abundance of caution." More on the attacker's technique: "Attackers are exploiting an unpatched vulnerability in Oracle’s WebLogic. Early on, we speculated whether the problem was with the Click2Gov application itself and whether it impacted the cloud-based version of the system. It has since come to light that only local installations are at risk. Attackers are gaining access to application servers due to a known vulnerability in WebLogic and escalating the attack from there."