About 20,000 payment card records from eight cities across the U.S. have been compromised through a breach of Click2Gov, a popular municipal payments system last compromised in 2018.

Discovered by security researchers at Gemini Advisory LLC, which revealed the details late last week, the breach involved some of the same cities compromised the last time: Pocatello, Idaho, and Broken Arrow, Oklahoma. Also breached were Deerfield Beach, Palm Bay, Milton and Coral Springs, all in Florida; Bakersfield, California; and Ames, Iowa.

The fact that some cities were attacked again indicates that despite patches, the software remains vulnerable. The breaches were uncovered only when the researchers discovered the records offered for sale of the dark web, a shady part of the internet reachable only through special software.

CentralSquare Technologies Inc., the company behind Click2Gov, responded to the report, saying in a statement that  it recently received reports of the breach. “We have immediately conducted an extensive forensic analysis and contacted each and every customer that uses this specific software and are working diligently with them to keep their systems updated and protected,” the company said.

That statement implies that some of the installations had not been patched and updated, but the Gemini researchers said that they believed those behind the latest hacks have either uncovered new vulnerabilities or may have maintained access to affected systems from the original attack.

Notably, the first compromise of Click2Gov was traced back to Oracle’s WebLogic application server, outside software required to run Click2Gov and the path used by hackers to access the systems. It’s unclear whether the path was the same this time around.

Ben Goodman, vice president of global strategy and innovation at identity and access management firm ForgeRock Inc., told SiliconANGLE Sunday that the new incidents prove the portals’ system is still vulnerable.

“Following this breach, users should regularly check their payment-card statements for any abnormal activity over the next several weeks,” Goodman advised. “Click2Gov and similar self-service billing and payment applications should employ security strategies and tools that support real-time, contextual and continuous security that detects unusual behavior and prompts further identity verifications, such as multi-factor authentication.”

Image: Max Pixel