12,000 victims of fake payment windows: how hackers attacked the website of a utility company in Texas

Residents of Lubbock, Texas, were among the victims of a financial information leak: attackers introduced malicious code into the utility payment resource, imperceptibly taking possession of the data of more than 12,000 cards.

The incident unfolded from December 18, 2024 to January 6, 2025. Users who paid for water, sewage, garbage removal or stormwater through the City of Lubbock Utilities (COLU) website entered information not in real fields, but in a fake pop-up window created by scammers.

• According to official security breach notifications that reached users, the attackers obtained names, addresses, payment card numbers, their CVV codes and expiration dates. The city’s internal systems were not compromised; the vulnerability was in a third-party vendor that hosted the COLU website.
• While no payments were blocked, customer data ended up in the hands of criminals. The incident was also reported to the Texas State Registry, which has reported 12,503 victims—a number that is likely to grow with reports from other states, including Vermont.

The attack on Lubbock’s online payment system is a stark reminder of the vulnerability of municipal platforms. Even without compromising the underlying infrastructure, attackers can still inflict massive damage by exploiting simple interface elements. It’s a message to local governments across the country that systems that collect funds from the public need to be as secure as banking platforms.