Published December 22, 2018 at 12:05 am EST
Last Updated on Saturday, December 22, 2018 3:16 AM EST
SAINT JOHN, N.B. – Up to 6,000 people in Saint John, N.B., could have been exposed to personal information, the analyst team said the city said it was one of the dozens of municipalities that breached the online parking ticket payment system.
The town said he had received about breaches of third-party software product Click2Gov, which is managed by Central Square Technologies. The product allows customers to pay for parking tickets on the city website.
The city said it had contacted CentralSquare Technologies to investigate the infringement.
Meanwhile, the city's payment site is closed, and Saint John's staff advise everyone who believes they can influence, closely monitor their accounts and contact their bank if they see unauthorized activity.
"The city of St. John protects our information system very seriously and sincerely regrets that this event has caused harm," says City Newsletter.
The city of Saint John and CentralSquare technologies could not be immediately commented on Saturday.
The violation of Saint John is part of a much broader question, said Stas Alforov, a cyber security researcher.
A recent report by Alforov, Director of Research and Development at Gemini Advisory, said that 46 of the North American cities – including about 6,000 in Saint John – have been paid for nearly 300,000 payments since 2017.
Saint John is the only Canadian city that participates in the infringement and the rest comes from the United States.
"The analysis shows that all violations are part of a larger hacking operation performed by the same hacker group and are not random in nature," the report said.
Gemini Advisory, who collects information on criminal marketplaces and delivers them to financial institutions, began to dig into suspected violations when they discovered an unusual model of credit card information sent online for sale.
Alforov said he allegedly saw the sale of stolen credit card information from a network of smaller communities scattered in North America and not in more typical urban centers.
Through digging, Gemini advice was associated with these cases with other cases where it was claimed that Click2Gov had violated the information.
When Alforov had sent observations from the Gemini Advisory website, he said he had received an invitation from the city of Saint John.
"They said," We were not aware of this, "and I said," It's understandable, but it seems that you were broken in 2017 in September, "he said.
"I have seen the new cards loaded, about 1000 cards around every few months, during the period of 2017 to November 2018."
He said that not all cardholders were from St. John: if someone came from the city and had received a ticket in Saint John, their knowledge might have been compromised. The same applies to all other cities involved in the infringement.
Alforov said he had given the cities the names of those who had suffered, and had given dozens of municipal names to both law enforcement and Click2Gov.
He noted that CentralSquare Technologies was not always aware of the violations right away. He added that the company had previously told him that these systems were all locally hosted and that their cloud-based software had not been affected.
The company had also introduced a patch, Alforov said, but the vulnerability remained.
Alforov said that it is important for municipalities to be aware of the software they use and how it is kept up to date, while the software vendor must keep the end user informed of their product.
"We can't really point our fingers to Click2Gov or the municipality, it's a kind of common problem, in a sense," he said.