Thousands of customers of Marietta Power & Water Department may have had their information stolen in a software hack of a bill payment system.
The city was notified Dec. 3 by the FBI and Central Square Technologies, a software vendor, that its utility payment system experienced a security breach, exposing bill payment information of thousands of customers of Marietta Power & Water Department.
FBI Atlanta Field Office spokesman Kevin Rowson said the agency would not comment on the case.
Marietta said the credit card information of customers using the Click2Gov online bill payment portal between Aug. 26 and Oct. 26 was exposed and shared on the so-called “dark web.” The dark web is made up of encrypted websites that are not accessible through traditional search engines.
Central Square Technologies, based in Florida, operates “Click2Gov” bill payment system used by Marietta’s utilities department and others around the country. The business did not return a phone call for information Wednesday.
According to its website, Marietta Power & Water is the largest municipal electric utility in Georgia. It serves more than 45,000 power and 17,000 water and sewer customers.
Marietta’s breach comes six months after Henry County experienced a ransomware attack. The county government has spent $650,000 restoring its computer network following the hack. Other metro Atlanta entities hit by cyber attacks include the Department of Public Safety, the Lawrenceville Police Department and city of Atlanta.
Marietta Information Technology Director Ronnie Barrett said the FBI asked the city to hold off on publicizing the breach while the investigation progressed. The city was given the green light this week to inform its residents of the situation.
Barrett said it appears customers who manually entered their credit card information during those two months, which amounts to about 8,800 transactions, are affected by the breach. Customers who used the auto pay system before or after the affected dates and anyone who paid in-person, by mail or over the phone were not affected, the city said.
While the FBI has not provided many details to the city about the breach, Barrett said it appeared only the credit card numbers entered were stolen. This does not affect the system Marietta uses to collect and process property tax payments.
Marietta said Tuesday that more than 30 cities around the U.S. who use Click2Gov may have been affected by various breaches. According to the Houston Chronicle, the city of Sugar Land was notified in October of a similar breach Marietta is now experiencing. Other cities notified by Central Square Technologies of vulnerabilities include Dothan, Alabama and Fort Worth, Texas.
The city said Central Square Technologies has fixed the vulnerability, and no other credit card information has been compromised since they rolled out the patch. However, the company will offer free credit monitoring for 12 months for customers who potentially had their personal information compromised. Letters will go out in the mail this week notifying customers caught up in the breach detailing how they can take advantage of that service.
Barrett said the city has used Central Square Technologies for its billing system since the 1990s. The IT director said he discussed the breach Tuesday evening with Mayor Steve Tumlin and City Manager Bill Bruton, and said the possibility about finding another service provider has not been ruled out.
“I think that at this point, it’s up for discussion,” Barrett added.
Marietta has set up a phone number residents can call to ask questions about the breach and see what next steps they can take. Customers who believe they may have been compromised or have questions can call 770-794-1803 to speak with a city employee.
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.