t least 110 people have reported unauthorized charges to their credit or debit cards since Oceanside discovered a suspected breach of its online utilities payment system two weeks ago.
Unwanted purchases included iTunes music and Lyft car rides, city Financial Services Director Jane McPherson said this week. The city’s 44,000 utilities customers normally use the system to pay their water, sewer and trash bills.
“We take this very seriously,” McPherson said. “We want to make sure we keep everything secure, and that’s why we are taking all steps necessary.”
One victim of the data breach, who asked only to be identified by his first name, Scott, said someone used his credit card information in an attempt to buy $700 worth of barbecue equipment online and ship it to Rialto, a city in San Bernardino County.
The credit card company approved the first purchase, he said, but then it declined two similar transactions and contacted him about the suspicious activity. He had the company reverse the original purchase immediately.
“I got lucky,” he said. “They picked it up right away.”
However, Scott said, the city needs to do more to notify residents as soon as possible that their personal information might be compromised so that they can take steps to prevent theft. City officials said it took a few days to determine that their system may be the source of the leaked information.
The first clue of a problem came when a customer service supervisor received a call Aug. 14, McPherson said. Soon there were more calls, and the city decided to shut down the online payment system to investigate.
“We don’t have any idea” whether the hack was internal or external, or how the information might have been released, she said.
The city’s online payment system remained unavailable Tuesday while experts and law enforcement officers investigated the problem. Meanwhile, city officials advised people to continue checking their bank accounts for suspicious charges.
The city has brought in a cyber security expert to conduct a forensic analysis of the apparent hack, McPherson said. FBI agents and local law enforcement officers also are involved in the investigation. A report on the results is expected this week.
In all the known Oceanside cases, the banks or credit unions have reimbursed people for the disputed charges, she said.
The illegal charges occurred on accounts used to make single online payments, and not ones set up with repeated automatic payments, McPherson said. They did not occur on payments through the city’s Express Utility Payment system, which can be found on the city’s website at the bottom of the online payment services page.
Security breaches have surged across California and much of the nation in the past year or two.
A report released in 2016 by then California Attorney General Kamala Harris stated that actual records compromised increased from 4.3 million in 2014 to 24 million the following year.
Most of those data breaches occurred in large commercial retail systems such as Target department stores and Chipotle restaurants. Another recent threat to city online systems has been ransomware, such as a case last year that locked up much of the San Francisco public transit system and unsuccessfully demanded about $70,000 to release control of the computers.
Oceanside customers hit by the data hack appear to have made a one-time payment using the system between July 1 and Aug. 13.