Hackers have earned $1.7 million so far from trading data stolen from US gov payment portals

User payment data was stolen from local Click2Gov government systems in US cities.

When a government body creates a self-service payment system for paying for everything from utility bills to permits and fines, you would expect convenience to be tied to adequate security for financial data.

Not necessarily so in the case of Click2Gov, a payment portal system used by many US cities, both small and large.

Developed by Central Square, formerly known as Superion, it was rumored last year that the local government portal service may have been subject to a data breach.

In September this year, cybersecurity firm FireEye confirmed that a security incident had taken place, in which threat actors had planted never-before-seen malware to scrape payment card details from US citizens.

It was suggested that the new malware strains, Firealarm and Spotlight, were able to parse logs for payment card data and extract payment details.

Security research firm Gemini Advisory has now released a report examining the after-effects of the attack, in which it is believed 294,929 payment records have been compromised across at least 46 cities in the US, as well as one in Canada.

The findings suggest that less than 50 percent of cities which have lost customer data either know or have publicly disclosed data breaches occurring at their sites.

On Tuesday, the company said that by selling this information in the Dark Web, the threat actors have earned themselves at least $1.7 million.

See also: Hackers swipe card numbers from local government payment portals

In the meantime, Central Square is still trying to work out how the attacks took place -- and potentially portals are still at risk. The company did deploy a patch in June to resolve the original vulnerabilities the hackers used to infiltrate Click2Gov, but told Gemini Advisory that "the system remains vulnerable for an unknown reason."

However, the firm added that the affected systems were all locally hosted, while the cloud-based Click2Gov software was not affected.

It seems, then, that local systems have security issues which are yet to be addressed. Saint Petersburg, Florida, Bakersfield, California, and Ames, Iowa, have all reported utility payment portal data breaches in the last three months.

TechRepublic: Why cryptojacking will become an even larger problem in 2019

Payment data from these portals have been found for sale in the web's underbelly. 

"In our analysis of all 20 reported instances of the Click2Gov breaches, we have definitively confirmed that, in total, at least 111,860 payment cards were compromised," Gemini Advisory says. "Also, in each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of $10 per card. "

Two hackers have been tracked through their wares, of which the cybersecurity firm believes both are likely part of the criminal ring which conducted the widespread attacks.

Gemini advisory's Director of Research, Stas Alforov, told Fortune that Click2Gov is working with local authorities to resolve the security issues which still exist, and the data theft is due in part to "a lack of sophistication on the part of municipal IT workers."

CNET: 4 smart ways to deter break-ins

Previous and related coverage