Hackers stole payment card details from the City of Lubbock's utility payment portal

The City of Lubbock in Texas said its third-party-hosted utility payment portal suffered a significant data security incident that compromised the sensitive personal information of the city’s residents.

In a data security incident notice filed with the Attorney General of Vermont, the city said that on January 6, it discovered that a threat actor had created a fake pop-up window on the City of Lubbock Utilities (COLU) payment website, which requested credit card information from residents.

The COLU website is used by residents to pay city utilities bills, including water, wastewater, storm water and solid waste, depending on the area they live in.

“Customers attempting to make payments on the legitimate COLU payment website were being directed to the fake pop-up window between December 18, 2024, and January 6, 2025,” the City said. “Although the City has accounted for all payments made during this period and no payments were delayed, this incident may have allowed the malicious actor to collect payment card information from individuals who entered their details in the fake pop-up window during this timeframe.”

An investigation into the malicious activity revealed that the sensitive confidential data of residents, including their names, billing addresses, payment card numbers, CVV, and expiration dates were compromised during the incident. While the notice with the Vermont state regulator doesn’t state the number of affected individuals, Texas’ state data breach portal revealed that at least 12,503 individuals were impacted by the breach.

“When the City discovered the issue, it promptly disabled the COLU payment website to address the issue and engaged third-party cybersecurity specialists to investigate. By disabling the legitimate COLU payment website, customers were no longer being redirected to the fake pop-up window,” the City added.

While the City found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. It has also offered complimentary identity protection and credit monitoring services through Equifax to all affected individuals.