PORT ANGELES — An investigation into a possible data breach that might have compromised credit cards used to pay Port Angeles utility bills in July is still ongoing.
Meanwhile, the city has taken steps to ensure that its customers’ personal data is protected, City Manager Dan McKeen said.
The city received 20 initial reports from online-paying customers who said their cards might have been hacked and fraudulent purchases made July 24 and July 25.
The city hired Navigant, a forensics accounting and investigations firm, to determine whether there had been a data breach and, if so, the extent of the breach.
“We’re taking a very cautious and aggressive approach at the same time,” McKeen said in a Monday interview.
“What I mean by that is we are not going to be going back to business as usual until we have a very good understanding, hopefully, of what happened, but at least that everything is in place to minimize any compromise of information in the future.
“We want people to have confidence that we’re doing everything we can to protect their information,” McKeen said.
Online utility payments will not be accepted until the investigation is complete.
City officials have no estimate for when the forensic analysis will be finished.
“I’d like to be able to connect the dots,” McKeen said.
“I like a clear connection of the dots, and right now, while they’re going through the forensics investigation, there has been no clear connection of the dots.”
As an added precaution, city customers are no longer able to pay their utility bill by writing a credit card number on the invoice or by reading a credit card number over the phone.
Credit card payments can be made in person during normal business hours on temporary credit card readers at City Hall, 321 E. Fifth St.
“We shouldn’t be asking people to put their credit card information on a piece of paper,” McKeen said.
“It’s not a best practice. It’s not a good practice.
“That piece of paper, who knows where it could go?” McKeen added.
“What we’re trying to do is take this opportunity as a way to ensure, again, that we have best practices in place, and maybe make some changes.”
An insurance policy will cap the city’s expense of the investigation at $25,000.
The FBI has opened an investigation and is awaiting information from the same firm, McKeen said.
McKeen said the only information he had received from Navigant is that an “abnormality” that was found July 24 might not have caused the suspected data breach.
He said the potential data breach had “nothing to do” with recent upgrades to the city’s computer servers.
The city suspended late fees for utility ratepayers shortly after reports of a possible data breach surfaced.
Late fees were reinstated Oct. 1, a customer service representative said Tuesday.
McKeen said he was “bothered” that the ongoing investigation was causing an inconvenience to utility customers.
“We want to provide the tools to make things as easy as we can for our customers to pay their bills,” McKeen said.
“Obviously, that’s important to us.”
He added: “Honestly, I thought that within 30 days, I would have a report on my desk.”
McKeen said the possible data breach was “not unique to Port Angeles.”
He told the city council at its Aug. 1 meeting that Pacific Science Center, Washington State University, Metro Parks Tacoma and the Seattle Housing Authority had reported similar experiences since May.
Reporter Rob Ollikainen can be reached at 360-452-2345, ext. 56450, or at [email protected].