Sugar Land, TX - Official Website

▼
Online Payment Portal Compromise

1. What happened?: On October 25, 2019, the City was notified by CentralSquare, the City’s third-party online payment processing vendor, of a minor issue with the online payment portal. It was not until December 12, 2019, that the City was further made aware that there were unauthorized alterations to the software code in the Click2Gov portal that would allow the copying of a user’s credit card data entered into their internet browser when making a payment. The City immediately began an assessment along with external data privacy professionals and CentralSquare, which engaged a third-party forensic firm to determine what happened and what information may have been affected during the relevant time period. CentralSquare has indicated that this incident may affect individuals who used the City’s payment system to make a payment to the City between August 30, 2019 and October 14, 2019. The unauthorized user may have acquired information that included first and last names, billing addresses, payment card numbers, payment card types, CVVs (security code) and expiration dates. Social Security numbers were not impacted by this incident.

2. How did this happen?: There were unauthorized alterations to the software code in the Click2Gov portal that would allow the copying of a user’s credit card data entered into their internet browser when making a payment during the window of potential compromise.

3. Who is affected by this incident?: A limited number of individuals who completed a transaction between August 30, 2019 and October 14, 2019.

4. Is Sugar Land the only City impacted by this issue with CentralSquare?: No. There have been several cities throughout Texas and the United States that have all been impacted by this issue.

5. Does the City take other payments besides water?: Yes, there are a variety of payments, utility, permits, inspections, and miscellaneous payments.

6. Should I withhold my next payment until y’all figure this out?: No, please remit your payments through one of the payment methods outlined in the public notification.

7. What other entities were breached? Maybe my property tax payment?: Only city services related to one-time online payments were affected during the time frame. Property taxes are paid through the county.

8. Why did I receive a notification from the City?: Our records indicate you completed a transaction during the period of potential compromise. Protecting the privacy and security of your information is a top priority for the City. The City values and respects your privacy, which is why it is advising you about the incident potentially impacting some of your information. The City wants to share the steps it has undertaken since discovering the incident and to provide you guidance on what you can do to protect yourself.

9. I received a notification from the City about a security incident. Does this mean someone has misused or will misuse my information?: No. It means you completed a transaction during the period of potential compromise. Out of an abundance of caution, the City wants to make you aware of the incident and let you know that it continues to take significant measures to protect your information.

10. What information of mine was involved?: The unauthorized user may have acquired information that included first and last names, billing addresses, payment card numbers, payment card types, CVVs (security code) and expiration dates.

15. As a result of this incident, will I become a victim of identity theft?: The type of information compromised is not typically associated with identity theft, but rather potential payment card fraud. The unauthorized user may have acquired information that included first and last names, billing addresses, payment card numbers, payment card types, CVVs (security code) and expiration dates. Out of an abundance of caution, the City wants to make you aware of the incident and let you know that it continues to take significant measures to protect your information.

16. Why was there a delay in notification of this incident?: There was no delay in providing notice. It was not until December 12, 2019, that the City was made aware that there were unauthorized alterations to the software code in the Click2Gov portal that would allow the copying of a user’s credit card data entered into their internet browser when making a payment. The City immediately began an assessment along with external data privacy professionals and CentralSquare, which engaged a third-party forensic firm to determine what happened and what information may have been affected during the relevant time period.

17. What is the City doing in light of this incident?: CentralSquare has informed the City that it has removed the unauthorized script from the code of the payment portal. To help prevent a similar incident in the future, the City is taking steps to enhance its existing security protocols and is moving to a new payment system.

18. How do I know if my information was involved in this incident?: The City has notified those potentially affected via U.S. Mail. If you did not receive a notice letter and you think you may be impacted, please contact 311 or 281-275-2900.

The City suggests you consider taking the following steps:

Enroll in the credit monitoring services offered at no cost to you.
Review payment card account statements closely and report any unauthorized charges to your card issuer immediately because card-network rules generally provide that cardholders are not responsible for unauthorized charges that are reported promptly.
You may consider placing a fraud alert and/or security freeze on your credit file.
You may order a free credit report.

20. Why did I not receive a notice about this incident?: The City provided notice via U.S. Mail to all those potentially impacted. If you did not receive a notice letter and you think you may be impacted, please contact 311 or 281-275-2900.