Carson City department heads respond to hacked financial information of residents

Beginning over the last weekend, Carson City residents began receiving letters letting them know that their data and financial information may have been compromised following a data breach involving water bill online payments.

Carson City received a report of a security vulnerability on their third-party vendor's online payment system, Click2Gov in September, which impacted individuals who legitimately used their website to make payments.

The city then launched an investigation, determining that an unauthorized code was inserted into the online payment system, developed by a third-party vendor called CentralSquare Technologies, according to Carson City Manager Nancy Paulson. The code was designed to capture payment card data and other information between the dates of Aug. 1, 2019 and Sept. 12, 2019.

You can read that full story here.

Carson City Manager Nancy Paulson responded with additional information regarding the breach:

In September, Carson City discovered indications of a possible breach to the Click2Gov online payment system. Within minutes of learning this information, Carson City took the server in question out of service and preserved it for forensic analysis. At this time, the city was unable to determine whether a breach had occurred, and if so, whether any data had been compromised. Carson City immediately retained a third-party expert to perform a forensic analysis of the server. The forensic report was completed and returned to Carson City in late-October.

Using the forensic report, Carson City was able identify that a breach had occurred. Carson City then worked to identify the specific individuals affected, which consisted of both Nevada residents and out-of-state individuals. Upon discovery of this information, Carson City retained outside counsel to assist with meeting all statutory notification requirements, which vary from jurisdiction to jurisdiction. Carson City, with the assistance of outside counsel, worked as quickly as possible under the circumstances to ensure that every individual affected by this breach received an accurate and appropriate notification.

A 2019 study conducted by IBM Security found that the average length of time to identify and contain a data breach is 279 days, whereas this breach was identified and contained in 42 days. The breach to the Carson City Click2Gov system was the first experience of its kind Carson City has had with a data breach and the city responded immediately to contain the breach. While it is not possible to eliminate the risk of a data breach, Carson City is dedicated to early detection and continues to strive for a quick response to any potential breach which may compromise the data of its residents.

According to James Underwood, Deputy Chief Information Officer for Carson City, this was a learning lesson that will be able to better prepare for any other future breaches, and they are hoping to be able to lessen the time it took to alert the public.

“After we found out there was a breach from the forensics report, we needed to determine who was affected,” said Underwood. “We put in a request to (the vendor) to ask them ‘how do we determine who did transactions who was affected?’ and it took two or three weeks for them to tell us how to get that information alone.”

Once they were able to determine who was affected, said Underwood, the city learned that residents who lived outside the state of Nevada were also affected, and together with the District Attorneys Office, the city sought outside council in order to make sure all of the other jurisdictional legal needs outside Nevada were being met.

Then they needed to move onto the phase of collecting resources to help those who may have been affected, including those out of state, and together with the vendor they reached an agreement on the way people would be notified, and set up the call center with resources ready for those affected.

“This was the first breach of this kind, so we obviously had some questions going along through the process and we’ll be using those lessons learned to create a more formal response plan so we’re better prepared next time around,” said Underwood. “That way, we can shave some time next time around. Like fires, you can do what you can to prevent, but you can’t prevent all fires. We can be prepared to respond in the best way possible next time it does happen.”

Underwood added that even if every system is updated perfectly there are always still unknown things that hackers might know about that haven’t published yet, which are impossible to prevent against. But being able to respond effectively is what will make all the difference if something like this breach were to occur again.

“We take information security very seriously, and we’ve already made improvements in things we’re doing based on lessons learned in this situation, and we have more improvements proposed moving forward,” said Underwood.

Carson City District Attorney Jason Woodbury also weighed in on the breach, and said the city acted as quickly as possible to determine they had accurate information for who was affected, and how it had potentially affected residents.

“Determining those things takes some time to figure out,” said Woodbury. “Then there’s the question of what the legally required manner in which notice is provided that we had to address. We acted as quickly as we could to make sure that accurate information was given and that it was given in the manner that met our legal obligations.”

It is estimated at this time that approximately 2,000 people both in and out of Nevada were affected by the data breach.