Civica pay hack / data leak council tax card payments.

boneofo
boneofo Posts: 61 Forumite
Part of the Furniture 10 Posts Combo Breaker
edited 26 October 2023 at 3:20PM in Budgeting & bank accounts
I suspect Civica pay services for Manchester city council have had a data leak or breach. They were down for over a week at the start of September and at the time when I looked into it, other local authorities using Civica for revenues payments (council tax) were fine.
The company did not respond to a queries about it and since the middle of October, my card which only Civica has the CVV for has been used for digital services purchases that don't need SCA approval.

Comments

  • Zanderman
    Zanderman Posts: 4,842 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

    What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
  • Zanderman said:
    You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

    What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
    @boneofo 's point is that only Civica/MCC have been given the CVV for the card that has been used for unauthorised purchases, and that these purchases have not triggered 2FA authorisation.

    Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 

    I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.

    Changing the payments for Council Tax to Direct Debit can't hurt either.
  • boneofo
    boneofo Posts: 61 Forumite
    Part of the Furniture 10 Posts Combo Breaker
    Zanderman said:

    What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
    Your perceptive on the amazon purchase but I didn't know about the CVV. Thanks.


    Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 


    Recent hacks such as large goverment supplier Capita took a while to become public.
  • SiliconChip
    SiliconChip Posts: 1,774 Forumite
    1,000 Posts Third Anniversary Name Dropper
    It's unlikely that you have a customer relationship with Civica which is probably why they didn't respond to you. More importantly, what have Manchester City Council said to you about it when you asked them, and have you raised it with your councillor? I suspect, like other posters, that you've made a bit of a leap but if it's bothering you the council is the place to turn to for answers.
  • masonic
    masonic Posts: 26,371 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    edited 28 October 2023 at 8:02PM
    Zanderman said:
    You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

    What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
    @boneofo 's point is that only Civica/MCC have been given the CVV for the card that has been used for unauthorised purchases, and that these purchases have not triggered 2FA authorisation.

    Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 

    I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.

    Changing the payments for Council Tax to Direct Debit can't hurt either.
    The security of the device(s) used to go online and pay the council tax should also be examined, as a compromise on the individual's side is much more likely if the alleged breach has only so far affected one individual. But as you say, it's more likely to be a physical compromise, perhaps by someone the OP knows, if the pattern of transactions isn't typical of a seasoned fraudster.
    FWIW, I use Civica, as I suspect do many other forumites. There's been enough time since the OP's troubles started for any more widespread problem to have come to light.
  • born_again
    born_again Posts: 19,429 Forumite
    10,000 Posts Fifth Anniversary Name Dropper
    Zanderman said:
    You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV?  That's quite a leap. 

    What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
    @boneofo 's point is that only Civica/MCC have been given the CVV for the card that has been used for unauthorised purchases, and that these purchases have not triggered 2FA authorisation.

    Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity. 

    I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.

    Changing the payments for Council Tax to Direct Debit can't hurt either.
    Retailer do not store CVV. That is a breech of card detail storage & leads to a very big fine.

    https://www.globalpaymentsintegrated.com/en-us/blog/2020/01/14/card-verification-codes-pci-rules-for-data-storage#:~:text=In the case of a,only under very specific reasons.

    Card verification codes are a security feature typically used in a card-not-present environment (e-commerce, mail order/telephone order). The intent of this code is to ensure that the customer has the physical card during transactions where the merchant is unable to physically swipe the card. CVV data is not necessary for card-on-file transactions or recurring payments, and storage of this data is prohibited by the PCI-Data Security Standard.

     In the case of a recurring or card-on-file transaction, the CVV is not expected. PCI-DSS requirement 3.2.2 specifically prohibits storage of the card verification code or value after authorization. The only entity that can ever store this data is an issuer, and only under very specific reasons.

    Surprising Netflix & m365 are very common fraud.
    Life in the slow lane
  • Zanderman
    Zanderman Posts: 4,842 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    Taking on board born_again's comments that no-one stores the CVV, the original premise, that the Civica system has been hacked, seems yet more unlikely.  OP says only Civica had the CVV, but actually, from the info above, they just had it once  to authorise ongoing C Tax payments and could not store it, so they don't have it.

    And as pointed out earlier many online retailers, particularly some digital services, don't need a CVV anyway. OP's reply comment re Amazon doesn't confirm that use has been at Amazon, but doesn't say it wasn't either!

    Other usage of the card, when the number and end date could be taken, seems just as likely, more likely probably bearing in mind there are no reported issues with Civica, to be the cause of the problem rather than Civica.
  • masonic
    masonic Posts: 26,371 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    edited 29 October 2023 at 7:17PM
    Zanderman said:
    Taking on board born_again's comments that no-one stores the CVV, the original premise, that the Civica system has been hacked, seems yet more unlikely.  OP says only Civica had the CVV, but actually, from the info above, they just had it once  to authorise ongoing C Tax payments and could not store it, so they don't have it.

    And as pointed out earlier many online retailers, particularly some digital services, don't need a CVV anyway. OP's reply comment re Amazon doesn't confirm that use has been at Amazon, but doesn't say it wasn't either!

    Other usage of the card, when the number and end date could be taken, seems just as likely, more likely probably bearing in mind there are no reported issues with Civica, to be the cause of the problem rather than Civica.
    I don't think Civica supports ongoing payments (at least I've found no way to set that up). They process only one-off payments for my LA. For ongoing payments a DD is required.
    Amazon does request the CVV when adding a new card, and presumably uses it to set up a CPA for ongoing payments thereafter.
    If any of the OP's transactions were verified by CVV, then as you say, it strongly points away from a provider data breach.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.8K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 453K Spending & Discounts
  • 242.8K Work, Benefits & Business
  • 619.5K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.