Paying parking tickets or municipal water taxes is never fun—and it’s even worse when hackers have compromised your town’s payment system. Yet, that’s what happened in dozens of towns across the U.S. where cyber crooks have made off with the personal data of nearly 300,000 people.
Security research firm Gemini Advisory published a report Tuesday that provides new details on how vulnerabilities in Click2Gov, a widely used type of government payment software, has affected towns from Oceanside, Calif. to Sarasota, Fla.
The vulnerability has let hackers get onto the payment networks and steal credit card and debit card data when citizens use town websites to pay fines, taxes, and permits.
Reports of vulnerabilities in Click2Gov first surfaced in 2017 and, in September, cyber security giant FireEye confirmed the attacks were a nationwide problem.
The new Gemini report provides additional details about the extent of the hacks, and what the crooks are doing with the data. According to the firm, at least 294,929 payment records have been compromised in 46 U.S. cities, while criminals have earned $1.7 million selling the data on the dark web—typically for $10 per record.
Gemini’s Director of Research, Stas Alforov, told Fortune that Click2Gov has worked with many of the affected towns to patch the software, and that the breaches have arisen in part because of a lack of sophistication on the part of municipal IT workers.
The company that licenses the Click2Gov software, known as CentralSquare Technologies, did not immediately respond to a request for comments about the breach.
For the citizens using Click2Gov to honor their civic obligations, the breaches will not likely result in a financial loss since banks and credit card companies typically foot the bill in the case of stolen data. But the incidents do mean all of the aggravations that go with identity theft, including the need to replace their cards and possible damage to their credit scores.
Gemini’s Alforov says that many of the towns have addressed the Click2Gov vulnerabilities, but others have not, meaning the data exfiltration is ongoing.
Alforov added that the hackers behind the breaches do not appear to be particularly sophisticated, but that they have nonetheless figured out how to profit from the weak security of local governments.
Gemini was able to identify the affected municipalities by examining the addresses related to the stolen cards. Other affected towns include Laredo, Texas, Topeko, Kans. and Medford, Ore. A full list is available here.
