Cyber Incident Victim: Cucamonga Valley Water District

The Cucamonga Valley Water District (CVWD) experienced a data security incident involving its Click2Gov web payment portal, operated by third-party vendor Central Square. Between August 26, 2019, and October 14, 2019, unauthorized actors breached a server used to process one-time credit card payments from customers. CVWD was notified of the breach by Central Square, which maintained and operated the compromised infrastructure. The breach specifically impacted the external payment system rather than CVWD's internal networks. Central Square initiated an investigation with assistance from a cybersecurity firm, though investigators found no conclusive evidence confirming exfiltration of customer payment data. The scope was limited to customers who made one-time payments through Click2Gov during the seven-week exposure window, excluding all other CVWD account holders.

Central Square implemented security measures to prevent further unauthorized access to the payment portal following the investigation. As a precautionary measure, the vendor offered affected customers a twelve-month subscription to TransUnion's credit monitoring service. CVWD began notifying potentially impacted individuals via direct mail with breach details and remediation options. The water district publicly acknowledged the incident on December 4, 2019, emphasizing its commitment to customer privacy while confirming reevaluation of its vendor relationship and Central Square's security protocols. No operational disruptions to water services occurred, and CVWD maintained regular customer service channels throughout the incident response. The organization established dedicated phone support through Epiq Global and its internal customer service team to address public inquiries regarding the breach.