WAPA has made known that the credit and debit cards of its customers that were compromised by hackers occurred much earlier than the authority had thought, with hackers gaining access to the Click2Gov payments system that WAPA uses a month before the hack was identified.
Critically, WAPA has yet to reveal how many accounts were affected by the hack, but the compromise appears to be widespread, with multiple Virgin Islanders reporting fraudulent charges on their accounts that occurred after they had used their card to pay WAPA bills.
WAPA said it has been working with Central Square Technologies, the parent company of Click2Gov, “to fully assess the effect of a recent cyber attack on a payment processing application has provided determination of the date range that hackers could have gained access to credit and debit card information,” the date range being from August 30 to October 25.
WAPA said Central Square Technologies has provided it with “reasonable assurances” that there have been no card compromise incidents since October 25.
In explaining how it learned of the attack, WAPA said a customer made an initial report on Oct. 18 that her card had been compromised after making an online payment with WAPA. The authority said it then contacted Central Square to open an investigation. A forensics auditor determined that, at that time, the payment portal was not compromised, WAPA said, a finding later determined to be erroneous.
WAPA said a second customer notified the authority on October 22 of a similar incident involving a credit card, and Central Square later confirmed the hack and noted that the Click2Gov application was hit by a “never before seen attack.”
Yet even after the Oct. 22 incident, WAPA did not issue an advisory. It was not until the Consortium contacted the authority about the hack on Oct. 29 that WAPA hurriedly issued a statement to notify its customers.
On Thursday, WAPA said it would begin notifying customers by both mailed correspondence and email that the card used to make payment to WAPA may be compromised. “The notification will also include information about credit monitoring services to be provided by Central Square Technologies, and a hotline the company will establish to field questions and comments from customers with compromised credit or debit cards,” the authority said.
WAPA urged customers to closely monitor credit card statements for potential fraudulent activity, and to report suspicious or unauthorized charges to the bank or credit card issuer immediately.