Data breaches and hacking of financial information have become so common that monitoring credit and debit charges should be a routine task for everyone. But that doesn’t excuse Medford officials’ failure to quickly alert residents that an online payment system had been hacked.
The system, called Click2Gov, contracts with municipalities to provide online bill-paying. Medford uses the system to collect payments for utility bills, business licenses, permits and some parking tickets.
A financial institution alerted the city on April 19 that its online payment system may have been compromised. City administrators were told immediately, and the City Council was informed the following week. But residents were not alerted until July 23, when the city sent a letter to 1,842 cardholders who may have been affected.
Giving the city some benefit of the doubt, the initial notification did not confirm that any hacking had occurred. The unnamed financial institution did not know the details of the city’s payment system. A forensic investigation by an outside contractor established on June 5 that malware had been used to gather customers’ names, credit and debit card numbers, expiration dates and CVV codes.
That was already more than six weeks after the initial notification. But it took the city seven more weeks to alert the public.
Deputy City Attorney Eric Mitten said the city had been working with the forensic investigators “to get more specific information and to pinpoint who may have been affected.”
That’s an important thing to do, but it’s not a reason to keep the hacking secret.
“If we would have announced it immediately, we wouldn’t have known who was and who wasn’t affected,” Mitten said.
To which we say, so what?
When the Oregon Department of Fish and Wildlife was told in 2016 that its online hunting and fishing license system had been hacked, it immediately anounced the breach and shut down the system while it investigated.
Of course the city should take as much time as necessary to determine whose information may have been compromised — for its own liability considerations if nothing else. But meanwhile, it should have alerted all those who use the system to check their card and bank statements carefully for unauthorized charges. At the latest, that should have happened on June 5, when the hacking was confirmed.
Yes, as Mitten noted, “we recommend everyone monitor their credit cards, regardless.” But more than 1,000 people waited seven more weeks completely unaware that their personal financial information was at risk. That’s unacceptable.