The Virgin Islands Water and Power Authority (WAPA) continues efforts with Central Square Technologies to determine the number of customers affected by a recent cyberattack on a payment processing application. Central Square Technologies is a third-party vendor used by WAPA to process credit card payments.
“We met today with representatives of Central Square who are carrying out an investigation on the scope and cause of the cyberattack. The effort continues to determine the date range of the cyberattack and the number of customers whose credit card information was compromised while their payment transaction to WAPA was being processed,” said Executive Director Lawrence Kupfer.
“In our discussion with Central Square today, WAPA was reassured that there have been no further compromise incidents since Oct. 25, when the threat against WAPA’s customers was identified and security fixes were immediately implemented,” Kupfer said, adding that the WAPA website payment portal adheres to the requirements of the Payment Card Industry Security Standards.
These requirements are established by the major credit card companies to ensure the secure transmission, storage and handling of cardholder information.
WAPA has also been assured by Central Square that the only cards impacted were those being entered to the payment process in real time. Previously established Auto-Pay and stored credit cards were not impacted. In fact, WAPA only stores customers IDs and payment confirmations. The Authority does not store customer’s credit card details on any of its servers,” Kupfer said.
WAPA uses Central Square Technologies in conjunction with PayPal as its payment gateway provider. Central Square is an industry leader in public administration software, serving over 7,500 organizations. WAPA has been using Central Square for over 10 years without any previous incidents.
On Oct. 18, when a customer made an initial report that her card had been compromised after making an online payment with WAPA, the Authority contacted Central Square to open an investigation. A forensics auditor determined that, at that time, the payment portal was not compromised. While the investigation was underway by Central Square, as an added precaution, WAPA began the process of initiating new servers.
A second customer notified WAPA on Oct. 22 of a similar incident involving a credit card. Central Square later confirmed the cyberattack and noted that the Click2Gov application was hit by a never before seen attack. On Oct. 25, Central Square not only confirmed the system had been compromised but, on the same day, developed and implemented a security fix. Since last week, Friday, there have been no new reported instances of fraudulent credit card activity involving WAPA customers.
WAPA advises customers that the online payment options are functional and that customer payment data is fully protected. However, there are several other options available for customers who chose to utilize another payment method including Pay by Phone, self-service kiosks, local bank branches of Popular, Bank of St. Croix, and First Bank, payment drop boxes for checks or money orders and rendering payment at customer service centers.
“Once Central Square has confirmed the timeline for the security breach and provided WAPA with a firm number of customers whose credit cards were compromised, WAPA will reach out to each affected customer with information about a hotline that will be established to provide remediation services including options for credit card monitoring,” Kupfer said.
While the investigation is ongoing, he urged customers to monitor credit card statements for potentially fraudulent activity and to report suspicious charges to the bank or credit card provider, immediately.