• City of Seattle pays for friendly hacking to reveal credit card system security issues

    By: Linzi Sheldon

    Updated:

    SEATTLE - The City of Seattle was intentionally hacked by a company it hired to expose vulnerabilities in its payment card processing system.

    A new report released by the Office of the City Auditor shows that test found 25 vulnerabilities. Some of them were deemed high-risk, indicating “significant security issues.”

    “The test found there were definitely some areas we should focus on pretty quickly, and we did that,” City of Seattle Chief Technology Officer Michael Mattmiller said.

    The simulated attack, called a penetration test, was done by Coalfire Labs for $72,093.

    Mattmiller said once the city received the findings, it immediately moved to fix the vulnerabilities, which he would not describe in detail because of security issues. He did give examples that he said were not specific to this case.

    “Is there a piece of software somewhere in our network that is past its end of life and should be replaced, because there's a known issue with it?” he said.

    The city of Seattle processes more than 11 million credit and debit card transactions across all its lines of business, including pay parking stations and Seattle City Light payments.

    KIRO 7 asked Mattmiller if residents should be concerned about the findings.

    “The message to residents is that in the city, we take security very seriously,” he said. “We’ve taken it up a notch. We’ve implemented new tools, new processes.”

    Mattmiller said the Payment Card Industry Security Standards Council, which ensures businesses and organizations meet proper security standards, has certified the city of Seattle to continue processing transactions. The city received a PCI Level One status in 2014 because of its high volume of payment card transactions.

    He pointed out that the city has added two staffers to the Department of Information Technology’s security team and has implemented better security software.

    “This software is looking to see if there are certain patterns or events that might suggest an anomaly,” he said, “and those get flagged then for our staff to follow up.”

    The idea of the city’s payment system getting hacked is a daunting one.

    Marc O’Brien, who paid a couple bucks for parking just off 4th Avenue, acknowledged the potential threat.

    “Scary, that spending two dollars could cost me thousands,” he said, referencing the parking station.

    He was also pleased by the city’s steps.

    “I think it's proactive,” he said. “Try to beat it before it's a real problem.”

    Meeting PCI Data Security Standards is a requirement and credit card companies can impose penalties if a business's security isn't good enough.

    The city will continue to test its computer networks through penetration tests every year.

    Next Up: