In a recent data breach, at least 12,000 people had their sensitive financial information stolen. The hackers infiltrated the utility payment website of Lubbock, Texas, between December 18, 2024, and January 6, 2025. The breach impacted individuals who made utility payments for water, wastewater, stormwater, and solid waste during this period. The malicious actors implanted a fake pop-up window requesting credit card payment information from users on the legitimate payment site.
The affected data includes names, billing addresses, payment card numbers, CVVs, and expiration dates. While no payments were delayed, individuals who entered their credit card details into the fake pop-up window may have been exposed. The city of Lubbock discovered the incident on January 6, 2025, and began notifying impacted individuals this week. Breach notices were filed in several states, including Texas, Vermont, and others.
The breach occurred on a third-party hosted website, and city officials confirmed that the internal network was not compromised.
Hackers increasingly use malicious code or “e-skimmers” to steal payment data, as opposed to physical skimmers. The breach follows a pattern observed in other recent cyberattacks, such as one involving the Green Bay Packers website. Experts report that stolen payment card data is frequently sold on the dark web.
Cybersecurity specialists at Recorded Future observed a significant increase in the number of stolen card records being sold on the dark web. In March 2025 alone, 16 million card records were posted for sale, marking a rise from February. Additionally, over 150,000 stolen U.S. checks were listed on Telegram, 19% of which were newly stolen items. These patterns highlight the growing sophistication of cybercriminals targeting online payment systems.
Reference:
