CentralSquare Hit with Class Action Over 2017-2018 Click2Gov Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

CentralSquare Technologies, LLC is on the receiving end of a proposed class action centered on an apparent “wave of data breaches” in 2017 and 2018 that reportedly affected approximately 300,000 individuals.

According to the lawsuit, hackers have been attracted to CentralSquare’s Click2Gov online utilities payment portal—which is used by municipalities nationwide for the payment of utility bills, parking tickets, taxes and similar payments—“like flies to a carcass” since mid-2017. Per the case, CentralSquare’s failure to implement best practices and comply with cybersecurity guidance issued by the Federal Trade Commission has allowed the personal information of thousands of individuals to be compromised and “sold on black markets on the dark web.”

“CentralSquare’s reckless security practices in the face of a known threat permitted hackers to steal the Payment Data of tens of thousands of individuals,” the complaint alleges.

In October 2017 the defendant (then called Superion) acknowledged that its Click2Gov online utilities payment portal had experienced a data breach, and stated that it “continued to work closely with the small number of affected customers,” the case relays. According to the suit, however, cybersecurity firm Gemini Advisory reported in December 2018 that a breach of CentralSquare’s Click2Gov portal had “affected dozens of cities across the United States and Canada between 2017 and late 2018.”

The lawsuit claims the initial 2017-2018 breach allowed cybercriminals to steal roughly 300,000 residents’ payment card details and related personal information, including names, card numbers, expiration dates and security codes. Per the suit, CentralSquare’s claim to have addressed the issue by deploying patches for the impacted municipalities “mak[es] it clear” that the breach could have been prevented had the defendant timely updated its clients’ payment systems.

“CentralSquare had or should have had knowledge of the very serious risks associated with payment card data breaches, and of the need to ensure that its own systems were adequately secured,” the complaint contests. “However, it willfully failed to make the necessary updates to its security practices, protocols, and Click2Gov system, thus permitting the Data Breach to occur.”

The case argues that CentralSquare’s negligence concerning the security of its users is highlighted by the fact that the defendant experienced two more breaches since 2017 even though the company should have been “so fully on guard against cyber-hackers that nothing like this could happen again.”

“But they weren’t, and it did happen again,” the complaint scathes, noting that the company faced a second and third wave of data breaches in late 2019 and mid-2020.

The lawsuit claims CentralSquare’s failure to protect consumers’ personal information has exposed the individuals to an increased risk of identity theft and fraud, as well as injuries that are “fairly traceable” to the defendant’s alleged misconduct.

”As a result of the Data Breach, many of the victims, including Plaintiff and Class Members, have suffered fraudulent charges, had their payment cards canceled, lost use of their funds, lost time contesting charges and frantically trying to claw back funds stolen from their bank accounts, driving to and from banks and credit unions, and some have even had to cancel accounts,” the complaint attests.

Per the case, those whose information was compromised in the breach have had to spend “extensive amounts of time” addressing its purported effects while CentralSquare “has done little to nothing.”

The lawsuit looks to represent anyone whose payment card information was compromised in the 2017/2018 wave of data breaches affecting the defendant’s Click2Gov payment platform, with a proposed subclass of Margate, Florida citizens who fit the same criteria.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.