Drivers who paid Ames parking tickets through the city’s online payment system are being warned to watch their financial statements for the next few weeks after the software company reported a data breach from July 30 to Sept. 12

Paper notices have been sent to the 1,498 individuals affected by the breach. This is the second breach to affect Ames drivers through the Click2Gov software application, a third-party platform run by CentralSquare Technologies. 

“We’ve got to urge [the public] to be monitoring their bank accounts. We’ve got to get them practicing some safer habits such as having text message alerts whenever a banking transaction occurs,” said city of Ames Information Technology Manager Dorrance Smith. “If it’s something suspicious, then they can immediately reach out to their bank rather than waiting for a period of time.”

In 2018, the city announced 4,600 motorists may have had personal information breached between Aug. 10 and Nov. 19, which included encrypted first and last names, mailing addresses, email addresses and debit/credit card information. 

The same type of data is at risk through this breach. At least eight cities were attacked, Ars Technica reports, and six of them were previously compromised in 2018. More than 20,000 records are thought to be at risk. 

The Click2Gov platform is integrated with other CentralSquare Technologies products used by the city of Ames, which hampered moving the city to other services, Smith told the Business Record. The city is also shuffling planned budget expenses to lock down parking ticket payment data. 

“When this happened and we had to report it last [year], my immediate statement to executive leadership was ‘we need to get rid of this thing,’” Smith said. “Unfortunately local government is beholden to budgets, so we can’t simply raise taxpayers’ property taxes at will.”  

After the 2018 breach was discovered on Nov. 18, city IT staff set up an on-site server dedicated to Click2Gov processing. On Sept. 12, 2019 -- days before traffic entered Ames for the Iowa State-University of Iowa football game at Jack Trice Stadium -- the city learned other municipalities using the Click2Gov system were reporting a breach of banking information by drivers. 

CentralSquare told Ames staff the city’s server showed markers consistent with other municipal breaches, Smith said, and the city took the server offline to begin analysis and send a copy of the server to a private forensic analyst. Ames then established a brand new server to be active immediately as the city prepared to move operations to the cloud. 

The system compromised encrypted customer data by assigning a shared, identical key to multiple municipalities using Click2Gov -- which meant if one municipality was breached, all others would be at risk of de-encryption as well. Smith said the company did not disclose that the city would be using a shared key. 

“When you do encryption of data, you always want to use a unique key. To have this shared key, that was where my eyes just rolled back into my head, like, ‘are you kidding me?’ Because we knew instantly what that meant,” he said. “The data was encrypted when it was captured. However, because of this idea of the shared key, it increases the likelihood that the data that was captured can be decrypted, then used and sold.” 

Today, drivers are able to pay parking tickets through the city website, Smith said. The IT department is transitioning multiple servers onto the cloud, which is estimated to cost up to $250,000. The option had been in discussion before the latest breach was recognized -- Smith had city approval to begin moving Ames operations to CentralTechnologies’ cloud on Sept. 9, three days before the city was notified of a breach, he said. Moving forward, Smith’s department is investigating what it will take for the city to move operations to other vendors. 

“They said that none of their cloud customers were impacted by this … so as a temporary stopgap I have agreed to go ahead and, for continuity, move it off to their cloud solution. However, it would be irresponsible and unethical for me not to consider other options, especially at this point,” Smith said.