Burlington Electric Department shut down its online payment system last week.
A Reddit user discovered that utility customers’ passwords were stored on an internal database that was not adequately protected with encryption.
Click2Gov, which is the online interface that allows customers to pay their bills online, had stored customers’ passwords in plain text. This was an “unacceptable security protocol,” said Neale Lunderville, BED’s general manager, in a statement last week.
Lunderville said the utility has no reason to believe that the database was breached or passwords compromised. He said the decision to shut down the payment system was a “preventive measure.”
The Burlington utility hopes to have the online payment system running by the end of May, he said. Customers have been sent alternative payment instructions by mail.
The utility’s existing vendor, SunGard, a Pennsylvania-based software company, will perform the security upgrade, Lunderville said.
Greg Schoppe, a web developer at Burlington Bytes, posted a warning on Reddit on April 10 describing BED’s flawed password storage system.
“This is extremely bad, as it means that a single hacked server, or a single annoyed [database administrator] would gain an attacker passwords for every renter and homeowner in Burlington,” Schoppe posted on Reddit.
He was concerned that customers may use the same Burlington Electric account password for their bank accounts.
Lunderville said he does not believe any other systems were vulnerable.
