Breach in parking payment system in Saint John might have exposed data

Saint John parking payment system breached 'multiple' times since May 2017

Saint John has shut down its online system used to pay parking tickets after discovering a data breach that could have exposed customer names, addresses and credit card information.

The city sent out a public notice after learning of the breach Friday afternoon, said Mayor Don Darling. 

"Obviously the privacy of our citizens and their payment information is non-negotiable, it must be private," he said.

"I'm disappointed that this has happened but we certainly live in a complicated world in this day and age in terms of online forces and hackers and folks that are out and after our public information but we're taking this very seriously and our teams are working on this to figure out the level of impact and we'll fix it."

Site shut down

Darling said the payment site has been shut down to prevent access until the city is confident that user information is safe. 

"We want to know how did this happen, how many people were impacted and the indication that I have is this is going to take up to four or five days to get this completed."

We're taking this very seriously and our teams are working on this to figure out the level of impact and we'll fix it. — Saint John Mayor Don Darling

The city uses a third-party software product called Click2Gov from its service provider, CentralSquare Technologies, to provide customers with the ability to pay parking tickets through the city website.

The city says the breach is from an unknown party to the Click2Gov software, which could have impacted a number of municipalities across North America.

Darling said he is disappointed CentralSquare Technologies didn't notify the city about the breach. He said the city only found out about the breach through media reports from other municipalities that use the service.  

"If CentralSquare was aware of this breach and they didn't let us know, then I'll certainly be looking to follow up on that up to and including is that a breach — I would hope that's a breach — of our agreement with them.

"It's a pretty serious and neglectful act, in my view, on their part not to let us know of a breach that happened."

Monitor financial accounts

The city recommends customers closely monitor their financial accounts and if any unauthorized activity is detected, promptly contact their financial institution. Anyone who believes they may have been a victim of identity theft should contact police.

"The City of Saint John takes protection of our data systems very seriously and sincerely apologizes for the inconvenience this incident may have caused," the public statement says.