Cyber Incident Victim: Midwest City
Date:
May 2018
Location:
United States of America
Summary
Midwest City, Oklahoma, notified residents of a cybersecurity incident impacting approximately 2,300 customers, part of a broader pattern affecting multiple municipalities using Click2Gov software. Attackers compromised systems through a vulnerability in Oracle’s WebLogic application server, a third-party component required to operate Click2Gov, rather than directly breaching the payment platform itself. The incident resulted in unauthorized data access and the installation of cryptocurrency mining malware on municipal systems. Superion Software, Click2Gov’s developer, confirmed the intrusion vector after investigating similar breaches across other cities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Midwest City, Oklahoma disclosed a cybersecurity incident potentially affecting approximately 2,300 customers in a notification issued around June 24, 2018. The breach involved unauthorized access to systems running Click2Gov, a municipal payment software developed by Superion Software. Investigations revealed the incident was part of a broader pattern affecting multiple U.S. municipalities utilizing Click2Gov, with Oxnard, California reporting a similar compromise occurring on May 25, 2018. Attackers exploited vulnerabilities not in Click2Gov itself, but in Oracle's WebLogic application server—third-party software required to operate the Click2Gov system. This access vector allowed threat actors to infiltrate municipal networks supporting the payment platform.
Superion Software's investigation confirmed the WebLogic vulnerability as the entry point, eliminating Click2Gov as the direct source of compromise. Beyond data breaches, attackers deployed cryptocurrency mining software on compromised municipal systems. The incident impacted numerous cities beyond Midwest City and Oxnard, though specific additional municipalities weren't named in the disclosure. Midwest City officials notified affected residents approximately one month after the Oxnard breach occurred. No specifics regarding compromised data types or forensic investigation timelines were disclosed in the public notification. The coordinated nature of attacks across geographically dispersed municipalities indicated a systematic exploitation of the third-party software vulnerability.