WaterISAC previously posted the woes regarding Click2Gov on several occasions – view the Security & Resilience Update for November 21, 2019 for a listing of the three other posts. Likewise, a quick Google search reveals many more impacted municipalities and utilities, some having been affected more than once. With this recent spate of disclosures, WaterISAC is aware of at least one member who has been negatively impacted. This widespread event represents a significant issue regarding vendor/supplier/service provider risk. Furthermore, given malicious actors increase in the targeting of MSP’s (Managed Service Providers) to gain a foothold and then cascade into their client bases, it is imperative that members evaluate, assess, and carefully manage third-party relationships/contracts.
Incidentally, Click2Gov has not been the only online payment provider used by state and local government agencies to suffer in the past year. In September 2018, Brian Krebs reported GovPayNow.com leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers, and the last four digits of the payer’s credit card.
Given the extent of the Click2Gov impact and potential for a higher than normal volume of members to be affected, WaterISAC will be providing a more critical analysis report in the near future. However, members wishing to know more may contact WaterISAC with an RFI. Likewise, to help WaterISAC more effectively track the impact from the Click2Gov breach, we encourage any water or wastewater utility (member or non-member) to complete a confidential incident report or contact WaterISAC at [email protected] or (866) H20-ISAC.