MARIETTA — About 8,800 Marietta utility customers may have had their credit card information compromised after a third-party software vendor reported a security breach.
Central Square Technologies, which processes payments such as electric, water and sanitation for the city, reported that Marietta was one of over 30 cities that may have been affected by the breach.
Tax payments were not impacted.
Customers who manually entered credit card payments on the city’s website using Click2Gov between Aug. 26 and Oct. 26 may have been affected. Only customers who entered their credit card number manually during those dates would be at risk, said IT Director Ronnie Barrett. Those who are enrolled in the auto pay system were not affected, nor were those who paid in person, by mail or over the phone.
Officials with Central Square Technology told the city they do not have any evidence proving that any Marietta customer transaction was compromised, but said they will offer free credit monitoring to all potentially affected customers “out of an abundance of caution.”
Marietta IT Director Ronnie Barrett said information related to customer data was found on the dark web.
The term “dark web” refers to parts of the internet that are not accessible through normal means and are used for illegal activities, including buying and selling personal data.
“The transaction on the dark web had six fields of information on it, it was the credit card number, the first name, the last name, the address, the city, the state and the ZIP code,” he said. “And there is a strong linkage between that data with other customer data. ... The FBI is assuming that all of that data was related to the Click2Gov. So there was no direct linkage, but they believe that’s where the linkage is. They have not verified that yet.”
The city said letters are being mailed this week to customers who may have been impacted. Those who have questions or believe they may have been impacted are advised to call 770-794-1803 to speak with a city employee.
“It is important to note that this Click2Gov application is not part of our internal city network therefore no internal city systems were compromised or impacted,” Barrett said. “The city of Marietta takes the protection of our data systems very seriously and constantly updates all our systems so that risks to our customer data can be minimized. The Click2Gov system had security updates applied to it several times throughout the year. In addition, the city also performs internal and external testing to ensure that the systems are not prone to any known vulnerabilities.”
This is not the first time Central Square Technology has experienced a data breach.
In December 2018, researchers with security firm Gemini Advisory reported a breach with the service they said compromised over 300,000 payment card records from dozens of cities across the United States and Canada between 2017 and late 2018.
That attack generated over $1.9 million in illicit revenue, Gemini Advisory reported.
Barrett said that breach represented a different vulnerability on a different version of the product the city hasn’t been on for a long time. He said the city has been with he company for utility billing since the 1990s, through multiple iterations of software, and this is the first problem the city has had.
Barrett said the city will reexamine its relationship with Central Square Technology.
“We will evaluate that going forward,” he said. “We obviously have to process credit cards right now, so short term, we’re working with them. They have taken all the steps they need to do to make sure this vulnerability doesn’t exist anymore. So at this time, we will be using them, but we will evaluate going forward.”
Mayor Steve Tumlin agreed, saying the city is keeping its options open.
“Logically, when something like this happens, it does open the door for somebody to submit a bid. ... Common sense will tell you this is a major first strike,” he said.