US Cities Disclose Data Breaches After Vendor’s Ransomware Attack

A ransomware attack against the widely used payment processor ATFS has sparked data breach notifications from numerous cities and agencies within California and Washington.

Automatic Funds Transfer Services (AFTS) is used by many cities and agencies in Washington and other US states as a payment processor and address verification service. As the data is used for billing and verifying customers and residents is wide and varied, this attack could have a massive and widespread impact.

The attack occurred around February 3rd when a cybercrime gang known as ‘Cuba ransomware’ stole unencrypted files and deployed the ransomware.

The cyberattack has since caused significant disruption to AFTS’ business operations, making their website unavailable and impacting payment processing. When visiting their site, people are greeted with a message, stating, “The website for AFTS and all related payment processing website are unavailable due to technical issues,” as shown below.

Also Read: What Is A Governance Framework? The Importance And How It Works

BleepingComputer discovered that the attack was conducted by a cybercrime operation known as ‘Cuba Ransomware’ after the hackers began selling AFTS’ stolen data on their data leak site.

Like other human-operated ransomware, Cuba will breach a network, spread slowly through servers while stealing network credentials and unencrypted files, and finally end the attack by deploying the ransomware to encrypt devices.

According to the data leak page, the Cuba gang claims to have stolen “financial documents, correspondence with bank employees, account movements, balance sheets, and tax documents.”

If the ransomware gang cannot find a buyer for the data, they will likely release it for free, allowing the data to be used by other threat actors.

Affected cities and agencies

Due to the large amount of potential data allegedly stolen by the Cuba Ransomware operation, cities utilizing AFTS as their payment processor or address verification service have begun disclosing potential data breaches.

The potential data exposed varies depending on the city or agency, but may include names, addresses, phone numbers, license plate numbers, VIN numbers, credit card information, scanned paper checks, and billing details. 

Below we have listed the cities and agencies that have released data breach notification, with more likely to follow in the future.

Also Read: Website Ownership Laws: Your Rights And What These Protect

California Department of Motor Vehicles [Data Breach Notification]:

Automatic Funds Transfer Services, Inc. (AFTS) of Seattle was the victim of a ransomware attack in early February that may have compromised information provided to AFTS by the DMV, including the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers (VIN). AFTS does not have access to DMV customers’ Social Security numbers, birthdates, voter registration, immigration status or driver’s license information, therefore this data was not compromised.

City of Kirkland, Washington [Data Breach Notification]:

The information stored in the AFTS databases is limited to data necessary to fulfill utility billing and payment processing of paper check payments.

At this time, we have no knowledge that any personal information belonging to any Kirkland utility customers has been accessed or misused. However, AFTS is currently conducting an investigation to determine what personal information might have been accessed by the ransomware actors, if any, and will inform Kirkland of that information when it becomes available. We can confirm that ATFS’ database does not contain any of our customers’ social security numbers, dates of birth, driver’s license numbers, state ID numbers or credit card numbers.

City of Lynnwood, Washington [Data Breach Notification]:

The City of Lynnwood contracts with AFTS to mail our printed utility statements to customers. Information that is included in the mailed statements includes the customer name, address, and utility account number. Lynnwood’s information stored in the AFTS database is limited to data necessary to fulfill the printing and mailing of utility bills. Payment methods are processed by a different vendor who has not been impacted by this incident.

City of Monroe, Washington [Data Breach Notification]:

The information stored in the AFTS databases is limited to data necessary to fulfill utility billing and payment processing of paper check payments. Electronic payments are processed by a different vendor who is not impacted by the incident. Potentially breached information from the AFTS database may have included the following personal information: utility bill account number, name, address, and billing amounts. Additionally, for residents or businesses who pay their utility bills by mailing a paper check, scanned copies of their paper checks are also stored on the AFTS servers which include bank account and routing information. It is unknown at this time whether these scanned copies of checks have been illicitly extricated from the network. The databases do not contain social security numbers, birth dates, driver’s license numbers, state ID numbers or any other Personally Identifiable Information (PII). The databases do not contain any resident or commercial business credit card information.

City of Redmond, Washington [Data Breach Notification]:

Personal information may have been exposed including names and addresses of utility customers. The City of Redmond is working closely with AFTS to determine the extent of the breach and if any of the City’s information was compromised.

City of Seattle, Washington [Data Breach Notification]:

The City of Seattle has recently learned that a third-party utility billing vendor, Automatic Funds Transfer Services, Inc. (AFTS), which is used by a small number of City departments, was the victim of a ransomware attack. City departments use this vendor for commercial billing, printing, and mailing services. 

Lakewood Water District [Data Breach Notification]:

The information stored in the AFTS databases is limited to data necessary to fulfill billing and payment processing of paper check payments. Electronic payments are processed by a different vendor who is not impacted by the incident. Breached information from the AFTS database may have included the following personal information: water bill account number, name, address, and billing amounts. Additionally, for residents or businesses who pay their utility bills by mailing a paper check, scanned copies of their paper checks are also stored on the AFTS servers which include bank account and routing information. It is unknown at this time whether these scanned copies of checks have been illicitly extricated from the network.

Port of Everett [Data Breach Notification]:

We have no indication Port of Everett’s customers information has been compromised, but we wanted to make you immediately aware of the risk of potential exposure of your personal and/or credit information as soon as possible.

As more cities, agencies, and organizations disclose data breaches, we will update the above list.