Cyber Incident Victim: City of Odessa
Date:
Aug 2019
Location:
United States of America
Summary
The City of Odessa experienced a data security incident involving unauthorized access to customer payment information processed through its third-party online payment system, Click2Gov. The breach exclusively compromised credit and debit card details of individuals who made one-time utility bill payments via the platform, while recurring payments and other transaction methods remained unaffected. The municipality confirmed the incident originated within the Click2Gov infrastructure and not its own systems, noting that regular security updates and vulnerability testing had been conducted on the platform. Affected customers received direct notifications regarding potential exposure of their financial data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The City of Odessa experienced a data security incident involving its third-party online payment system, Click2Gov, between August 27, 2019, and October 14, 2019. The breach compromised credit and debit card information belonging to customers who used Click2Gov for one-time utility bill payments during this period. The City of Odessa relied on Click2Gov to facilitate online payments but confirmed the breach originated within the third-party provider’s systems, not the city’s infrastructure. On December 11, 2019, Click2Gov formally notified the city of the incident, prompting the city to issue public notifications the following day. The compromise exclusively affected customers who made single, non-recurring payments through Click2Gov’s online portal. Payment methods such as in-person transactions, phone payments, E-Check transfers, or interactions with other city systems remained unaffected. The city emphasized that Click2Gov had received multiple security updates throughout 2019 and underwent routine internal and external vulnerability testing prior to the breach.
In response, the City of Odessa initiated direct notifications via mailed letters to customers identified as having made one-time Click2Gov payments during the exposure window. The city advised impacted individuals to monitor their financial accounts for unauthorized activity and contact their financial institutions if discrepancies were detected. It further recommended filing complaints with the Federal Trade Commission through designated phone or online channels and obtaining free credit reports from Equifax, Experian, and TransUnion. While underscoring its commitment to system security through regular updates and testing protocols, the city deferred responsibility for the breach to Click2Gov as the third-party service provider. No evidence suggested broader compromise of city-operated systems beyond the isolated Click2Gov incident. The public advisory reiterated FTC guidance encouraging periodic credit report reviews even in the absence of immediate suspicious activity.