Cyber Incident Victim: City of Bend
Date:
Aug 2019
Location:
United States of America
Summary
A cybersecurity incident involving the City of Bend's online utility payment portal, managed by a third-party vendor, potentially compromised payment card information of customers who made one-time payments or enrolled in auto pay during a specific period. Malicious code inserted into the software may have exposed cardholder names, billing addresses, card numbers, security codes, and expiration dates, though Social Security numbers were unaffected as they were not collected. The breach was contained by removing the malicious code and implementing additional security measures, with no ongoing risk identified. Affected individuals were notified and offered complimentary credit monitoring services, while the city collaborated with forensic investigators and law enforcement to assess the incident and planned to transition to a new payment provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The City of Bend, Oregon, experienced a data security incident involving its online utility payment portal, Click2Gov, between August 30, 2019, and October 14, 2019. The city was notified by CentralSquare, the third-party vendor managing Click2Gov, that malicious code had been inserted into the software. This code potentially allowed unauthorized parties to copy payment card information from customers who made one-time utility bill payments or enrolled in auto pay using credit or debit cards during the affected period. The compromised data included cardholder names, billing addresses, card numbers, card types, security codes, and expiration dates. Social Security numbers and government-issued identification numbers were not impacted, as the city did not collect this information for utility billing. Customers who set up auto pay before August 30, 2019, or after October 14, 2019, or who paid via in-person methods or checks were unaffected. Existing auto pay users were also not exposed to the breach.
Upon discovery, the City of Bend collaborated with CentralSquare to remove the malicious code and implement additional security measures to prevent ongoing or future incidents. The city emphasized that the breach stemmed from vulnerabilities in Click2Gov’s software, not from weaknesses in its own infrastructure or systems. An investigation involving CentralSquare, third-party forensic experts, legal counsel, and local and federal law enforcement was initiated to determine the full scope and nature of the incident. Affected customers were notified via direct mail and offered one year of complimentary credit and identity-monitoring services. The city established a dedicated call center and a webpage to address inquiries and urged impacted individuals to monitor their financial accounts for suspicious activity. Plans were also announced to transition to a new payment processing provider to enhance security. Chief Innovation Officer Stephanie Betteridge reiterated the city’s commitment to data privacy and mitigating future risks, though the investigation remained ongoing at the time of the disclosure.