💧 Water and Power · U.S. Virgin Islands
WAPA said customers should monitor credit card accounts after payment processor cyberattack
The Virgin Islands Water and Power Authority said on October 31, 2019, that it was continuing to work with Central Square Technologies to determine how many customers were affected by a cyberattack on a payment processing application used for credit card payments.
WAPA said Central Square, a third-party vendor, was investigating the scope and cause of the breach, including the period during which customer credit card information may have been compromised while payments to WAPA were being processed.
According to WAPA, Central Square told the authority there had been no further compromise incidents since October 25, 2019, when the threat was identified and security fixes were implemented. WAPA also said the vendor reported that only cards entered during real-time payment transactions were affected, while previously established Auto-Pay accounts and stored credit cards were not impacted.
WAPA said it does not store customers' credit card details on its own servers, and that it stores only customer IDs and payment confirmations.
The authority said the investigation began after a customer reported on October 18, 2019, that her card had been compromised after an online payment. WAPA said a second customer reported a similar incident on October 22, 2019. The authority said Central Square later confirmed that its Click2Gov application had been hit by a cyberattack, and that a security fix was developed and implemented on October 25, 2019.
WAPA said online payment options remained available, but advised customers to monitor their credit card statements for suspicious activity and report questionable charges to their bank or card provider. The authority said it planned to contact affected customers once the investigation established the breach timeline and the number of compromised accounts, and said support services including credit monitoring would be made available.