New Brunswick

Credit cards sold on 'dark web' for over a year after Saint John parking system hacked

The City of Saint John is beefing up security systems, increasing training and buying cyber insurance in the wake of a breathtaking security breach that left credit card information from members of the public wide open to hackers.

Hackers had access to city parking fine server for 18 months and sensitive information for about 6,000 people

CentralSquare Technologies' head office in Lake Mary, Florida. The company owns click2gov software and Saint John Mayor Don Darling wants to know why the company did not notify the city of the cyber attack. (Google Street)

The City of Saint John is beefing up its security systems in the wake of a breathtaking security breach that left the public's credit card information wide open to hackers.

In December, the city's information technology staff learned that for the past 18 months, the municipal server for collecting parking ticket fines had been infected with a malware outbreak.

It gave hackers access to names, card numbers, card verification numbers, expiry dates and addresses for as many as 6,000 people, who paid their parking fines using credit cards online, in person or over the phone.  

On Dec. 19, IT World, an online publication, reported the breach of the click2gov software, citing Saint John specifically in the article, even though 46 other municipalities across North America were affected. 

City wasn't notified of the breach 

Stephanie Rackley-Roach, acting director of corporate performance for the city, described to councillors what has been learned of the click2gov cyber attack. (CBC)

The story didn't come to the attention of city staff until Dec. 21, and by that time the municipality still hadn't been notified by click2gov's manufacturer, CentralSquare Technologies.

The city shut down the click2gov server halting online payments, but by then sensitive information belonging to card users had already been for sale on the so-called "dark web" for 15 months.

"Why weren't we notified? Why did we have to find out in an article?" asked Saint John Mayor Don Darling at a Monday night council meeting.

"It wouldn't meet my definition of a partnership in the CentralSquare folks, the click2gov folks that we were working with."

Five weeks later, the city's parking fine server remains offline while arrangements are being made with an alternate service provider.

Number of stolen credit cards unknown

In the meantime Stephanie Rackley-Roach, the city's acting director of corporate performance, said the Canadian Institute of Cyber Security will perform a threat assessment on the city's IT systems.

Security measures will be evaluated, antivirus software improved and more robust firewalls will be installed. There will also be further training for IT staff and others who use the system.

The city will also purchase cyber insurance as a precautionary measure.

The city still isn't sure how many credit cards were stolen and later sold. But Saint John police have received 18 complaints since the city issued public notice of the security breach on Dec. 21.

In an update to its Dec. 19 article, IT World reported the cards stolen in the click2gov hack were sold on the dark web for an average of $10 US each.

About the Author

Connell Smith is a reporter with CBC in Saint John. He can be reached at 632-7726 Connell.smith@cbc.ca

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.