The City of Bend sent warnings to about 5,000 utility customers this week that a cyberattack last fall exposed their credit card information.
The notices arrived in the mail long after other cities sounded alarm bells about the same online bill pay service.
The Click2Gov software used by Bend and many other cities across the country has been targeted repeatedly since 2017 by thieves who sell financial information on the black market, or use it to make online purchases. In the latest breach, more than a dozen governments notified customers weeks or in some cases months before Bend did.
Around 74 days passed between city officials receiving notice of a potential attack, and issuing a public statement. The timeline raises questions about Bend's ability to detect data breaches, and its relationship with Click2Gov's parent company, CentralSquare, which contracts to provide a long list of technologies used by governments.
Emails reviewed by OPB show Bend officials learned of the latest Click2Gov attack on Oct. 25. The city’s manager of enterprise applications, Eduardo Navas, said he sprang into action, but initial security checks by him and CentralSquare didn’t reveal any malicious code.
Three weeks passed.
“It wasn't until Dec. 16 that we received concrete confirmation that we had been compromised,” Navas said.
Still, it wouldn't be until Jan. 7 — three more weeks — until Bend officials would tell the public.
“There was a lot of back and forth with CentralSquare, trying to get them to provide us with as much information as possible before we had a complete picture of what happened," Navas said, blaming the delay on the holiday timing, vague language in the company’s early notifications and the initial failure to find evidence of a hack.
“If we pushed … for more concrete evidence sooner and had asked them if they contracted with a forensic investigator sooner, maybe they would've done that and helped us be aware of the incident a lot sooner,” Navas said.
He said none of Bend’s current security measures would have prevented this kind of malware attack on a third party’s code.
A spokesman from Stanton Public Relations, a New York firm representing CentralSquare, said the company notifies its clients of data breaches as soon as it becomes aware of them and stays in close communication about next steps. He said he wasn't aware if Bend or any other hack victims were using out-of-date versions of the Click2Gov software, and he wasn't authorized to say how the company is working to better protect people’s data.
Bend is still using Click2Gov to process payments for utilities and permits, while assuring customers the site is now safe and secure. Chief Innovation Officer Stephanie Betteridge said the city is speeding up plans to launch a new system within a year.
Other cities quickly dropped Click2Gov's payment processing function due to its track record. A Gresham spokeswoman said that city stopped processing payments with the software in April 2019.
Some customers are taking the exposure in stride.
“I’m not freaking out about about my data being out there,” said Mike Davis, an IT professional whose credit card info was made vulnerable by the city's platform. He already uses fraud monitoring services, and swaps out his card numbers every six to 12 months.
“I know my information is out there. It’s not a matter of ‘if,’ it’s a matter of ‘when and how bad,’” Davis said, adding that this kind of theft has become normal to him.
Other city customers are still awaiting confirmation that attempts at fraud were in fact a result of using the online bill pay system between Aug. 30 and Oct. 14 of last year.
"Looking back at my bank records, I made two one-time payments using my debit card to the City of Bend during the time in question," Source Weekly editor Nicole Vulcan wrote in a recent editorial.
Then, a week before city officials went public with what they knew about the hack, Vulcan said “the same card was involved in a flurry of fraud attempts. I have my bank to thank for rejecting the whopping 47 charges attempted on my debit card from locations all around the world, from Singapore to the Netherlands to Brazil."