Cyber Incident Victim: City of Waco

On November 8, 2019, the City of Waco was notified of a security breach affecting its online water bill payment system operated through the Click2Gov portal developed by CentralSquare Technologies. The breach exposed payment information of customers who used the web portal between unspecified dates preceding this notification. City officials confirmed that approximately 8,000 customers—representing nearly two-thirds of the typical monthly online payment volume of 12,500 transactions—had their data compromised during the incident period. The breach exclusively impacted online payments processed through Click2Gov, with in-person credit card transactions at water office locations remaining unaffected. CentralSquare Technologies acknowledged a vulnerability in the Click2Gov software that facilitated unauthorized access but stated it had been patched, while emphasizing only a "limited number" of clients reported breaches.

The City of Waco initiated customer notification procedures by mailing letters to all identified affected individuals within weeks of discovering the breach. These communications advised recipients to monitor financial statements for fraudulent activity and provided specific protective guidance. Municipal spokesman Larry Holze confirmed the dispatch of notifications and established a dedicated telephone hotline (833-947-1419) operational on weekdays to address resident inquiries. With 44,000 total water customers in the municipality, the incident impacted approximately 18% of the customer base through the compromised online payment channel. No details regarding the specific types of data exfiltrated or forensic findings about the attack methodology were disclosed by city officials or CentralSquare Technologies in the available reporting.