Port Angeles investigates possible data breach

PORT ANGELES — City officials will hire a computer forensics company by noon today to investigate reports by residents this week that information on credit cards they used online to pay utility bills was hacked, City Manager Dan McKeen said Tuesday.

McKeen said the firm will investigate an “abnormality” that was discovered Monday on a city server that prompted 20 reports Monday and Tuesday from residents who said their credit card information had been hacked and fraudulent purchases made.

City notices about the anomaly were mailed Tuesday to about 9,400 city ratepayers who will begin receiving them today, McKeen said.

An estimated 1,500 residents use the city’s website to pay their utility bills online.

“If you’ve used a credit or debit card to pay for utilities or other services at the city of Port Angeles, we recommend, as a precaution, that you verify all your recent credit or debit transactions,” the notice says.

McKeen said the forensics company’s services could “easily” cost up to $50,000, with $10,000 of that covered by the city’s insurance.

“The FBI has confirmed that they are participating in the investigation,” he added.

“We don’t know how far back this goes.”

McKeen said the firm should be able to determine if there has been a breach of city online services, when and if credit card payment services became flawed, and those customers whose cards were compromised.

McKeen did not know the extent of the abnormality or how long it had existed before its discovery Monday.

“We had some server upgrades in the last six months,” he said.

“Whether these were the servers that were affected or not, I don’t know.”

The city is not accepting credit cards or debit cards for payments until further notice, according to the city’s late Monday afternoon press release.

Only cash and check payments will be accepted.

McKeen on Tuesday said he was unable to give further details on the server flaw.

“I don’t know if it was hacked,” he said.

“There is an abnormality in the file on the server.

“It’s something that shouldn’t have been there.”

The city began receiving reports from residents of “possible credit card compromise” Monday morning, according to a press release the city issued at 5:22 p.m. Monday.

The city’s website crashed at mid-day Monday as the city tried to address the server problem, McKeen said.

The city website was back online by 4:30 p.m. Tuesday.

Geanene Weathers of Port Angeles said Monday afternoon, before the city released its statement, that she began receiving bank-alert text messages at 3 a.m. Sunday.

Weathers, an Olympic Medical Center supervisor of patient financial services, was told by her credit card company that her card was charged a $5.84 transaction with Uber in the Netherlands and a 56-cent charge in North Dakota.

She said the city website saved the address, expiration date and credit card number but not the card’s three-digit security PIN, which she entered on the city website every time she paid a bill.

She said Monday that she suspected her city utility payments were connected to the fraudulent charges after a coworker had read on Facebook that the city had had a data breach and that people were complaining of fraudulent charges on their credit cards.

Commenters in the Facebook group PAWA were reporting a potential breach since mid-afternoon Monday.

Weathers said she has been paying city utility bills online for 16 years.

Weathers said she won’t be paying bills online on the website again anytime soon.

“Right now, it’s not very secure,” she said.

Michael-John Davis, a Port Angeles resident who manages the AT&T store in Sequim, said he suspected the unauthorized use of his credit card was connected to his city utility payments after an employee’s mother experienced a similar situation.

Davis received a call Friday morning from the Capital One fraud department on three unauthorized attempts to make $15 charges to iTunes and a $1,000 charge to a graphics company.

Davis has paid his utility bill online for two years — and said he will continue to do so.

“That’s a danger we live with in the 21st century, and I’m thankful my credit card company took care of me in that situation,” he said.

But it was “frustrating,” Davis said, that it appears the attempted fraud was connected to someone using credit card information he had supplied to the city and that funds should have been spent on better security.

“I think this is an example of something that money should have been spent on,” he said.

________

Senior Staff Writer Paul Gottlieb can be reached at 360-452-2345, ext. 55650, or at pgottlieb@peninsuladailynews.com.