SPI Insights

The cities of Fort Worth, Sugar Land, and Waco are among the latest municipalities around the state and country to report data breaches that exposed customers’ credit card information to theft.

They joined College Station, Odessa, and San Angelo as clients of the same third-party vendor whose software was violated by an unauthorized party. Hackers inserted code that captured information from one-time payments made online.

Fort Worth officials reported about 3,000 of its water department customers may have had their credit card information stolen between August 27 and October 23.
Cardholders’ names, billing addresses, credit card numbers, card types, credit card security codes (CVV), and expiration dates were exposed.

Sugar Land officials said their system was vulnerable from August 30 to October 14. They were notified of the breach on October 15, but the extent of the attack was unknown until December 12.

Waco was notified on November 8 that attackers stole data from Waco’s water utility payment system during the same time period as Sugar Land. The city mailed 8,000 letters to customers whose data may have been stolen.

After suffering a similar data breach in 2018 with the same vendor, the city of San Angelo had started the process earlier this year to switch services to a new company when it learned its customers’ data was exposed from late August to mid-October.

Odessa was informed on December 11 of the breach that affected its utility payment system between August 27 and October 14. College Station posted a notice on its website on November 18 that it had temporarily disabled online payments and launched an investigation.