Cyber Incident Victim: US Virgin Islands Water and Power Authority

The U.S. Virgin Islands Water and Power Authority (WAPA) experienced a cybersecurity incident involving its Click2Gov online payment portal, developed by Central Square Technologies (CST). WAPA first identified a potential compromise on October 18, 2019, after which it immediately notified CST of the suspected vulnerability. CST was simultaneously investigating an unconfirmed software issue affecting other clients, including Port Orange, Florida, leading to recommendations to suspend Click2Gov use during the probe. A forensics auditor engaged by WAPA initially concluded on October 18 that the payment portal had not been breached, though this assessment faced external skepticism given the timing and pattern of prior Click2Gov incidents.

On October 22, a second customer reported fraudulent activity on their payment card linked to WAPA transactions, prompting renewed contact with CST. CST subsequently confirmed a cyberattack against the Click2Gov application, characterizing it as a novel, previously unseen exploit. The breach resulted in unauthorized access to customer payment card data, with an undetermined number of individuals experiencing credit or debit card fraud. Central Square deployed a security patch to address the vulnerability on October 25, 2019. This incident occurred amid a series of Click2Gov-related breaches between 2017 and 2019 affecting multiple municipalities, though CST did not publicly clarify whether the WAPA attack shared technical commonality with prior compromises. The breach disrupted WAPA’s payment systems and necessitated customer fraud monitoring, while raising broader questions about the software’s security posture.