September 21, 2018//Ellen NeveuxLast Updated: April 30, 2020
More often than not the conversation around a data breach, or any form of a cyberattack, revolves around the enterprise. When we talk about the Target breach, we call it just that— the Target breach. We don’t always associate the HVAC vendor whose unprotected network led to the breach that still haunts us today, nearly five years later.
But, that was five years ago, and the conversation is beginning to change its focus not just on the enterprise that was affected during a third-party data breach, but the technology vendor that was associated with the cyberattack. A good, and recent, example of just this scenario is with the well-known software platform used by many cities named Click2Gov.
What is Click2Gov?
According to Central Square’s (formally Superion) website, Click2Gov empowers citizens through interactive self-service bill-pay options for utilities, community development, and finance. In other words, it’s a payment system software that cities or counties can use on their websites as the platform for residents to pay their utility bills.
A necessary platform, yes, but with recent news about this software, there are some clear shortcomings. There have been many cities who use this platform that say their networks have been breached, and Click2Gov is under fire from them the cities and those in the cybersecurity field.
Who was affected?
At least ten different US cities that use Click2Gov’s software on their websites have had to warn citizens of a data breach that could compromise their payment card information.
In each scenario, the city or town discovers that there is something wrong with their utility payment system, shuts it down, and the city’s name takes the fall. Fingers are beginning to point toward this software vendor and Click2Gov has been struggling to stay out of the media headlines for breaches.
So, who’s to “blame”?
Here’s where things get even trickier: it turns out Click2Gov’s program wasn’t directly being attacked. A researcher at Risk Based Security noticed a pattern of Click2Gov appearing in breach notification letters and so it was looked into further. This further investigation showed that the hackers didn’t break in through Click2Gov, but through an unsecured third-party software application: Oracle’s WebLogic server. The blame in the media continues to be pointed at Click2Gov.
What can we do?
You really are only as strong as your weakest link when it comes to network security. For a technology vendor, the impact of a data breach attached to your name can be deadly. Not only on your budget in terms of fees and fines, but your reputation can be ruined with just one headline. Even in the Click2Gov situation where the breach technically didn’t happen through their software, the name Click2Gov has been dragged for months and been renamed to Click2Breach by industry experts. At the end of the day, a data breach can lead to fines, fees, reputational damages, and unlimited liabilities.
Moving forward, technology vendors need to be aware that there are ways to limit their liability while balancing being both efficient and aware of potential security risks. Look for the best remote support platform to fit your needs and consider what you want or need out of a platform, like:
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.