Data breach through Click2Gov hits drivers who paid Ames city parking tickets

A data breach could have compromised the payment information of 4,600 motorists who paid city-issued parking tickets in Ames — using a software application also implicated in at least 18 municipal breaches nationally since early 2017.

Affected motorists who paid Ames parking tickets using the Click2Gov application from Aug. 10 to Nov. 19 may have had personal information breached, the city reported in a Friday afternoon press release, including first and last names, mailing addresses, email addresses and debit/credit card information. Ames information technology staff discovered a potential compromise on Nov. 18 in the city’s link to Click2Gov, a third party platform formerly run by Superion, now CentralSquare Technologies. Ames IT staff took the system offline for assessment until Nov. 20, the city reported, and provided a copy of the web server to a private forensic data analyst.

“We are very sorry this happened to our customers. The city of Ames is extremely concerned by this incident, but we’re confident we’ve addressed the vulnerability and corrected it,” said Ames Finance Director Duane Pitcher. “We know cyber attacks can occur any time, and we remain vigilant about keeping information shared with the city safe. We expect the same from vendors linked to our website.”

Click2Gov has been identified as a common link in municipal breaches by researchers at Risk Based Security (RBS) dating back to April 2017, affecting at least 10 communities aside from Ames in 2018. Only one-time payments seem to be at risk of breach, and data for customers with auto-pay enabled does not seem to be exposed, researchers at RBS said.

In September, Click2Gov provider Superion announced a merger with public sector software companies TriTech Software Systems, Aptean and existing TriTech subsidiary Zuercher Technologies to form CentralSquare Technologies. Former Superion CEO Simon Angove was announced as CentralSquare’s CEO