According to a press release from the City, the security issue will only potentially affect people who enrolled in autopay or who made a one-time utility bill payment between August 30 and October 14, 2019. Autopay customers who enrolled before or after that were not affected, the City's release stated.
Stolen customer data could include the cardholder’s name, card billing address, card number, card type, card security code and expiration data. Social security numbers and government-issued ID numbers were not affected, the City stated.
The City uses the third-party vendor CentralSquare to manage the online utility payment portal, known as Click2Gov. According to its website, CentralSquare, headquartered in Florida, works with public-sector clients to offer the "broadest, smartest and most unified software suite that powers all aspects of managing local government." CentralSquare told the City that malicious code may have been inserted into the Click2Gov software, which may have allowed hackers to steal credit and debit card information from people using the system.
This is not the first time CentralSquare has had a security beach. Its Click2Gov platform has been hacked in dozens of cities across the U.S. beginning in 2017, as first reported by Oregon Public Broadcasting. The Medford Mail Tribune reported that it took the City of Medford five months to alert its 1,824 online utility customers of a breach that first occurred on Feb. 18, 2018. In the Medford case, a forensic investigation company hired by the city determined that hackers were able to gain access to the city's website and capture payment information as it was entered into the Click2Gov system.
Officials at the City of Bend declined to comment when asked about previous Click2Gov incidents in other cities.
City of Bend officials said they worked with CentralSquare to remove the malicious code and ensure that this incident is not ongoing.
An ongoing issue in breaches that have been reported around the county is that city government cyber security systems are sometimes outdated and vulnerable to attack through 3rd party online payment systems.
“This incident involved Click2Gov’s software. It was not due to a vulnerability of the City’s infrastructure, systems or security,” the City’s press release stated.
This City hired outside legal counsel and Sylint, a third-party forensic investigator to evaluate the situation. Local and federal law enforcement will collaborate in an ongoing investigation. They have have also hired Kroll, a cyber security risk-management firm.
"Kroll is providing a number of services to the City, including helping the City comply with its regulatory requirements under Oregon and other state law, offering credit and identity monitoring services to customers who may have been affected, and operating the call center," said Joshua Romero, Communications Manager for the City.
The City will send snail mail notifications to anyone who may have been affected sometime this week. The City plans to move to a new online payment system in the near future. They already had plans in the works to migrate to a new payment provider within the next year, but they may do it early than that because of this incident.
The City has advised customers who made one-time payments or enrolled in autopay between August 30, 2019 and October 14, 2019 to monitor their bank and credit card accounts and report any suspicious charges to their bank. Any customer that may have been affected by the breach will be offered one year of credit and identity monitoring paid for by the City.
Learn more at bendoregon.gov/data-advisory or call 884-987-1209.
Editor's note: This story has been updated from its original version to add more information about CentralSquare. We'll continue to update it as more information becomes available.