City Of FDL Water Payment Portal Back Online

The City of Fond du Lac’s system for paying water bills online is up and running again. It was taken down last month after a local credit union contacted the City after 25 of their customers reported fraud on their credit or debit cards over a four-month span. The common denominator seemed to be the payment portal for City water bills. City Manager Joe Moore says the system was taken down and rebuilt. They also notified residents about the possible breach and still aren’t certain if the system had been compromised. Moore says taking the system down was a precaution after they had been contacted by that financial institution. It also gave the City’s customers a chance to check with their banks and credit unions to see if there were any unusual charges on their accounts. The preliminary forensic analysis on the City’s server showed no evidence of compromise or credit card skimming malware. The City also got Payment Card Industry certification and compliance for the new payment portal. The City has about 15,000 water customers and about 14,000 payments on those accounts are made yearly using the water payment portal.  

City Manager Joseph Moore’s press release:

We take the trust of our customers and citizens very seriously and that was the reason for the very aggressive approach that we took when a possible credit card security issue arose last month.

On December 12th 2017, the City Comptroller Office was contacted by a local credit union advising them that over the past few months they have had an increased amount of fraud reported on credit union credit/debit cards.  The representative from the credit union stated they had about 150 of their customers that used our payment portal about 25 of them had reported fraud on their cards in the last 4 months.  This in itself isn’t evidence or indicative of a breach.  The City has about 15,000 water customers and about 14,000 payments on those accounts are made yearly using the water payment portal.   Many of our account holders use local banking institutions leading to a high rate of local banks having local payments to our system. 

We immediately contacted our credit card processor who receives alerts on our behalf from the credit card brands (MasterCard, Visa, American Express, Discover, etc.) to determine if there were any reports of compromise involving our portal.  They had not. As of January 15, 2018, our processor has not received any reports of compromise involving the city.  This would be the normal process for credit card data loss reports from the credit card industry fraud departments.

As a precautionary measure, City IT Services took the portal offline until further investigation could be conducted.  Also as a precaution this portal was completely rebuilt with trusted code.  Our completely rebuilt and certified payment portal will be going back on-line for public use on Monday, January 15th. 

During the rebuild, the portal/server and logs were sent off for independent forensic analysis to determine if a breach actually occurred or if it was a coincidence that the credit card users of our system also had fraud from a breach in another business.  As of January 15, 2018, the preliminary forensic analysis on the server showed no evidence of compromise or credit card skimming malware, leading us to believe that we were not a point of compromise.  As mentioned earlier we errored on the side of caution and did do a complete rebuild of this portal and re-obtained PCI (Payment Card Industry) Certification/Compliance of this new portal.

The City IT Services Office conducts normal cyber-hygiene and patches 100’s of new vulnerabilities on a weekly basis on different systems very similar to when you get updates to your cell phones or home computers.  A patch performed back in October 2017 was a very common action that we take on servers and devices daily.  It does not appear that this patch is related to the fraud reported by the credit union.

As you see in the news, most businesses do a thorough investigation which can take months and then notify their customers of the loss of data.  We took a more aggressive approach so that our customers could make sure that they self-protected themselves, even if we were not the cause of their fraud, especially over the holiday seasons.

If you have any questions regarding water payments, please reach out to Eileen Baus at 920-322-3454.