City strategies helped divert impact of recent data breach

Courtesy of Flickr

Charleston parking ticket.

Taylor Adams

The City of Ames parking payment data breach could have been worse but was protected, in part, by city data protection strategies, a city official says.

The City of Ames is dealing with their first-ever data breach, said City of Ames Finance Director Duane Pitcher. This comes in the wake of various reports concerning unauthorized charges to users credit and debit cards.

The city uses different third-party services to facilitate online payments; while online parking tickets use one system, payments for city bills use another system. This means if one service becomes compromised, it doesn’t potentially endanger the information used within all city payments.

The use of third party services, rather than the city storing its own data, is generally safer for data protection as well, Pitcher said. As a result, citizens who made payments to other third party programs, like the ones used for utility payments, were not compromised.

The parking payment breach gave opportunity for the user’s first name, last name, mailing address, email address and debit/credit card number to be intercepted. Pitcher said this was also a benefit of separating the systems as the data stored by third party service, Click2Gov, was not adequate information intercepted for identity theft to occur.

“It was credit cards and names, so similar exposure to if you handed your credit card to a server at a restaurant,” Pitcher said. 

Those who used the City of Ames online payment system to pay parking tickets between Aug. 10 and Nov. 19 are most likely to be affected by the breach.

Following the few reports from users the City of Ames hired forensic data analysts who were able to confirm there had been a data breach concerning Click2Gov.

The City of Ames quickly changed their server and the software to further eliminate the remaining vulnerability caused by the breach.

“It was man in the middle attack…and it was happening with multiple of their customers,” Pitcher said. “What they did get was the actual transactions that moved through the system.”

The city has sent letters letting citizens know that may have been affected.

“Regardless of the data breach it may be a good time to remind people its a good idea to be checking their transactions periodically,” Pitcher said.

In the end, Pitcher said this will be more of an issue for the credit card companies who have to reimburse fraudulent charges.