We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Civica pay hack / data leak council tax card payments.

boneofo
Posts: 61 Forumite


I suspect Civica pay services for Manchester city council have had a data leak or breach. They were down for over a week at the start of September and at the time when I looked into it, other local authorities using Civica for revenues payments (council tax) were fine.
The company did not respond to a queries about it and since the middle of October, my card which only Civica has the CVV for has been used for digital services purchases that don't need SCA approval.
The company did not respond to a queries about it and since the middle of October, my card which only Civica has the CVV for has been used for digital services purchases that don't need SCA approval.
0
Comments
-
You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV? That's quite a leap.
What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.3 -
Zanderman said:You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV? That's quite a leap.
What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity.
I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.
Changing the payments for Council Tax to Direct Debit can't hurt either.0 -
Zanderman said:
What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.flaneurs_lobster said:
Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity.
Recent hacks such as large goverment supplier Capita took a while to become public.
0 -
It's unlikely that you have a customer relationship with Civica which is probably why they didn't respond to you. More importantly, what have Manchester City Council said to you about it when you asked them, and have you raised it with your councillor? I suspect, like other posters, that you've made a bit of a leap but if it's bothering you the council is the place to turn to for answers.
0 -
flaneurs_lobster said:Zanderman said:You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV? That's quite a leap.
What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity.
I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.
Changing the payments for Council Tax to Direct Debit can't hurt either.The security of the device(s) used to go online and pay the council tax should also be examined, as a compromise on the individual's side is much more likely if the alleged breach has only so far affected one individual. But as you say, it's more likely to be a physical compromise, perhaps by someone the OP knows, if the pattern of transactions isn't typical of a seasoned fraudster.FWIW, I use Civica, as I suspect do many other forumites. There's been enough time since the OP's troubles started for any more widespread problem to have come to light.
0 -
flaneurs_lobster said:Zanderman said:You're making this assumption - a data leak from civica, but only at Manchester - because your card has been used without the CVV? That's quite a leap.
What 'digital services' have been bought with it? Some retailers, notably Amazon, don't bother with CVV.
Sounds unlikely that someone would steal your card details just to watch Netflix or buy a Microsoft 365 subscription, and any data hack at MCC would have been given wide publicity.
I'd be looking more closely at exactly what those purchases were, the physical security of my card (especially if my home is shared) and, of course, cancelling and replacing my card.
Changing the payments for Council Tax to Direct Debit can't hurt either.
https://www.globalpaymentsintegrated.com/en-us/blog/2020/01/14/card-verification-codes-pci-rules-for-data-storage#:~:text=In the case of a,only under very specific reasons.
Card verification codes are a security feature typically used in a card-not-present environment (e-commerce, mail order/telephone order). The intent of this code is to ensure that the customer has the physical card during transactions where the merchant is unable to physically swipe the card. CVV data is not necessary for card-on-file transactions or recurring payments, and storage of this data is prohibited by the PCI-Data Security Standard.
In the case of a recurring or card-on-file transaction, the CVV is not expected. PCI-DSS requirement 3.2.2 specifically prohibits storage of the card verification code or value after authorization. The only entity that can ever store this data is an issuer, and only under very specific reasons.
Surprising Netflix & m365 are very common fraud.Life in the slow lane2 -
Taking on board born_again's comments that no-one stores the CVV, the original premise, that the Civica system has been hacked, seems yet more unlikely. OP says only Civica had the CVV, but actually, from the info above, they just had it once to authorise ongoing C Tax payments and could not store it, so they don't have it.
And as pointed out earlier many online retailers, particularly some digital services, don't need a CVV anyway. OP's reply comment re Amazon doesn't confirm that use has been at Amazon, but doesn't say it wasn't either!
Other usage of the card, when the number and end date could be taken, seems just as likely, more likely probably bearing in mind there are no reported issues with Civica, to be the cause of the problem rather than Civica.
0 -
Zanderman said:Taking on board born_again's comments that no-one stores the CVV, the original premise, that the Civica system has been hacked, seems yet more unlikely. OP says only Civica had the CVV, but actually, from the info above, they just had it once to authorise ongoing C Tax payments and could not store it, so they don't have it.
And as pointed out earlier many online retailers, particularly some digital services, don't need a CVV anyway. OP's reply comment re Amazon doesn't confirm that use has been at Amazon, but doesn't say it wasn't either!
Other usage of the card, when the number and end date could be taken, seems just as likely, more likely probably bearing in mind there are no reported issues with Civica, to be the cause of the problem rather than Civica.I don't think Civica supports ongoing payments (at least I've found no way to set that up). They process only one-off payments for my LA. For ongoing payments a DD is required.Amazon does request the CVV when adding a new card, and presumably uses it to set up a CPA for ongoing payments thereafter.If any of the OP's transactions were verified by CVV, then as you say, it strongly points away from a provider data breach.0
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 349.8K Banking & Borrowing
- 252.6K Reduce Debt & Boost Income
- 453K Spending & Discounts
- 242.8K Work, Benefits & Business
- 619.5K Mortgages, Homes & Bills
- 176.4K Life & Family
- 255.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards