There are times when it makes good business sense to outsource certain tasks. It may be time or cost effective, or both. One company may choose to outsource payroll, another may use a third party application for bookkeeping. In today’s digital environment, when we outsource a task, it is likely happening online. And if information is transferred online, we must consider the cyber security aspect.

Since 2017, many cities and counties across the U.S. faced breaches of their online utility bill pay services, leading to fraudulent charges to credit cards used in the bill pay system. Currently, the following cities and counties have reported issues with their online bill pay system:

• Goodyear, AZ
• Village of Wellington, FL
• City of Oxnard, CA
• City of Ormand Beach, FL
• City of Port Orange, FL
• Oceanside, CA
• Beaumont, TX
• City of Fond du Lac, WI
• City of Thousand Oaks, CA

It turns out these organizations all have something in common – they use the same third party application, Click2Gov, for their bill pay service. According to Superion, which owns Click2Gov, an internal investigation found that the vulnerability exists in Oracle’s WebLogic application, a third party software application needed to run Click2Gov, and not in the Click2Gov software itself. Superion says that have proactively provided security patches to 99% of their customers, however, this security issue appears to be ongoing, with new cities reporting problems as recently as mid-October.

This Click2Gov issue exposes a very real danger of using third party apps. Not only are you putting your data in the hands of the third party app, but potentially in the hands of that app’s third party vendors. Can we be sure that our data is protected all the way down the line? The short answer is there are no guarantees. It would serve you well to have a risk mitigation plan for third party applications, which can lay out the risks and benefits of using a certain third party application and ultimately help guide you when choosing whether or not to share data.