Texas city warns thousands of utility payment site breach

At the very least 12,000 individuals had delicate monetary data stolen by hackers who secretly implanted malicious code into the utility cost web site of the town of Lubbock, Texas.

The town started sending breach notification letters to victims throughout the nation this week, explaining that the individuals impacted embrace anybody who made a utility cost between December 18, 2024, and January 6, 2025. That features those that paid utilities payments for water, wastewater, storm water and strong waste.

The hackers stole names, billing addresses, cost card numbers, CVVs and expiration dates.

In line with the letters, the cost web site is hosted by a third-party vendor and metropolis officers found on January 6 {that a} malicious actor “created a faux pop-up window on the [City of Lubbock Utilities] cost web site, which requested bank card cost data from customers.”

“Clients making an attempt to make funds on the legit COLU cost web site have been being directed to the faux pop-up window between December 18, 2024, and January 6, 2025,” officers stated.  

“Though the Metropolis has accounted for all funds made throughout this era and no funds have been delayed, this incident could have allowed the malicious actor to gather cost card data from people who entered their particulars within the faux pop-up window throughout this timeframe.”

The town didn’t reply to a request for remark. 

Texas’ state knowledge breach portal stated 12,503 individuals in Texas have been affected however notices have been filed in a number of different states together with Vermont. Lubbock has a complete inhabitants of about 270,000 individuals. 

The letters don’t say which third-party vendor was behind the breach however they be aware that the hackers didn’t breach the town’s inside community. 

Up to now, hackers used skimmers which have been bodily gadgets put in on cost terminals, nevertheless, for the reason that begin of the COVID-19 pandemic and the elevated recognition of e-commerce, hackers have tailored and at the moment are utilizing e-skimmers, which is a malicious code inserted into an e-commerce web site used to steal knowledge inputted into the cost discipline — most lately impacting the web site of the Inexperienced Bay Packers.

Cybersecurity specialists at Recorded Future monitor the publicity of cost playing cards stolen by hackers and bought on the darkish internet every month. The Report is an editorially impartial unit of Recorded Future.

For March, risk actors posted 16 million card information on the market on the darkish internet sources, representing a rise in comparison with February.

“We additionally noticed 5 million freely posted full card information on Telegram” the cost fraud intelligence workforce stated. “Moreover, we noticed over 150,000 stolen US checks being posted on Telegram, 19% of which have been new and distinctive”.

One other massive Texas group, the State Bar of Texas, introduced an information breach this week impacting a minimum of 2,700 individuals within the state. Delicate knowledge like Social Safety numbers, passports, bank card numbers and extra have been stolen within the assault, which was claimed by the Inc ransomware gang one month in the past. 

Study extra.