Published Saturday, December 22, 2018 12:05 PM EST
Last Updated Saturday, December 22, 2018 3:16 PM EST
SAINT JOHN, N.B. – Even 6,000 people in Saint John, N.B., could reveal their personal information, said the analytical group, as the city announced that it was one of dozens of municipalities affected by data breach in the online car park payment system.
The city said it learned of a violation of the third-party software product Click2Gov, which is managed by CentralSquare Technologies. The product offers customers the possibility of paying parking tickets via the city's internet site.
The city said it had contacted CentralSquare Technologies to investigate the violation.
In the meantime, the city's payment is closed, and Saint John's officials advise anyone who believes they might be affected, closely monitoring their financial accounts and contacting their bank if they see any unauthorized activity.
"The city of Saint John takes seriously the protection of our data systems and I sincerely apologize for the inconvenience this incident has caused," the statement said.
Neither St. John's city nor CentralSquare Technologies could come up with a comment on Saturday.
Violation in Saint John is part of a much bigger problem, says Stas Alforov, a cyber security researcher.
A recent report by Alforov, director of research and development for Gemini Advisors, says the firm has discovered that out of 300 North American cities compromised nearly 300,000 payment information, including about 6,000 from Saint John since 2017.
St. John is the only Canadian city to participate in the violation, and the rest comes from the United States.
"Our analysis shows that all injuries are part of a wider hacking operation carried out by the same group of hackers and that they are not accidental," the report said.
Gemini Advisors, who collects information from criminal markets and delivers it to financial institutions, started digging suspicions of violations when they noticed an unusual form of credit card information that was published on the Internet.
Alforov said he noticed allegedly stolen credit card information sold on the Internet, coming from smaller communities scattered across North America, rather than in more typical urban centers.
Through further digging, Gemini Advisors linked these cases to other cases of alleged data breach of Click2Gov.
After announcing his findings on the Gemini Advisor's website, Alforov said he had received a call from Saint John.
"They said," We were not really aware of that, "and I said," That's understandable, but it looks like you guys were broken in 2017 in September, "he said.
"I've seen new cards placed, about 1,000 cards every few months, from 2017 to the beginning of November 2018."
He said that not all Saint John Cardholders: if someone came from the city and got a ticket to Saint John, their information may have been compromised. The same would apply to all other cities involved in the violation.
Alforov said that the city gave the names of those who were affected and gave the names of dozens of municipalities involved in the work of the police and Click2Gov.
He noted that CentralSquare Technologies was not always aware of the problem. He added that the company had previously told him that the vulnerable systems were locally installed, and their cloud-based software was not hit.
The company also implemented a patch for this system, Alforov said, but the vulnerability remained.
Alforov said that it is important for municipalities to be aware of the software they use and how to update it, while on the software vendor to inform the end user about his product.
"We can not really point our fingers into Click2Gov alone, or just in the municipality; it's kind of a common problem, in a sense," he said.