Cyber Incident Victim: City of St. Petersburg
Date:
Aug 2018
Location:
United States of America
Summary
The City of St. Petersburg experienced a data breach impacting its third-party Click2Gov online payment system, compromising credit card information of users processing transactions for municipal services during a specific timeframe. Malicious software infiltrated the vendor's server to collect payment data, affecting multiple other U.S. municipalities utilizing the same platform. Attackers employed web shells and specialized tools to intercept and exfiltrate card details, including numbers, verification codes, expiration dates, names, and addresses, while in-person and alternative payment methods remained unaffected. This incident followed prior security alerts regarding vulnerabilities in the payment portal's infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The City of St. Petersburg, Florida, experienced a data breach involving its third-party Click2Gov online payment system between August 11, 2018, and September 25, 2018. The breach was disclosed by the city on September 27, 2018, following notification from Click2Gov's developer, Superion, that malicious software had compromised their server to collect customer information. The incident exclusively affected users who made online credit card payments through Click2Gov for municipal services such as utility bills, parking tickets, business licenses, building permits, and civil citations. Payments made via in-person transactions, phone systems, E-Check, or other city systems were not impacted. Superion confirmed the attackers exploited a vulnerability in the Oracle Web Logic module, which the company had advised customers to patch in June 2018 after identifying it as an entry point for compromises. While St. Petersburg did not specify the exact data stolen, previous Click2Gov breaches indicated credit card numbers, verification codes, expiration dates, names, and addresses were likely exfiltrated.
The breach formed part of a broader campaign targeting Click2Gov systems across multiple U.S. municipalities. Since May 2018, at least eighteen other cities, including Oxnard, reported similar incidents involving stolen payment card data. FireEye's analysis revealed attackers deployed a JavaServer Pages (JSP) web shell named SJavaWebManage to maintain persistence on compromised servers and enable debug mode for capturing credit card details in plaintext logs. Two custom tools—FIREALARM and SPOTLIGHT—were used to exfiltrate payment logs and intercept web traffic, respectively. Superion had previously issued alerts about suspicious activity on Click2Gov portals in October 2017, though the scale of subsequent breaches escalated in mid-2018. The City of St. Petersburg’s public notification emphasized the breach’s limited scope to online credit card transactions during the specified timeframe but did not disclose the number of affected individuals or specific mitigation measures beyond collaborating with Superion.