Full Report
Marietta, Georgia is one of numerous entities affected by the BridgePay ransomware attack. On February 13, the city posted the following notice on its website: The City of Marietta is currently unable to process certain online credit card payments due to a recent service disruption by one of the City’s payment gateway providers. We are... Source
Analysis Summary
# Incident Report: Supply Chain Ransomware Attack Affecting BridgePay & City of Marietta
## Executive Summary
In February 2026, BridgePay Network Solutions, a payment gateway provider, fell victim to a nationwide ransomware attack. The incident resulted in a significant service disruption for hundreds of municipalities, including the City of Marietta, Georgia, which lost the ability to process online credit card payments. While services were offline, BridgePay reported that forensic findings indicate no payment card data was compromised as accessed files were encrypted at the time of the breach.
## Incident Details
- **Discovery Date:** February 6, 2026
- **Incident Date:** February 6, 2026 (Early morning)
- **Affected Organization:** BridgePay Network Solutions (Primary); City of Marietta, GA (Secondary/Downstream)
- **Sector:** Financial Services / Government
- **Geography:** United States (Nationwide impact)
## Timeline of Events
### Initial Access
- **Date/Time:** February 6, 2026, early morning.
- **Vector:** Not publicly disclosed (Undisclosed ransomware group).
- **Details:** Attackers targeted BridgePay's production and certification environments.
### Lateral Movement
- **Details:** Evidence suggests movement across multiple internal systems, including the PathwayLink Gateway (T-Gate), BridgePay Gateway API, and the Support Portal.
### Data Exfiltration/Impact
- **Details:** The primary impact was the encryption of infrastructure, leading to a total service outage. While files were accessed by the threat actors, BridgePay claims the files were already encrypted, preventing usable data exposure.
### Detection & Response
- **Discovery:** System outages occurred immediately on February 6.
- **Response actions taken:** BridgePay engaged federal authorities and recovery specialists; the City of Marietta notified the public on February 13 and began implementing alternative manual payment methods.
## Attack Methodology
- **Initial Access:** Ransomware (Method undisclosed).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Targeted payment processing APIs and virtual terminals.
- **Lateral Movement:** Moved between Gateway production and UAT (Testing) environments.
- **Collection:** Target included files in the support and boarding portals.
- **Exfiltration:** Accessed files, though "unusable" due to encryption.
- **Impact:** Service disruption (Inhibiting credit card processing).
## Impact Assessment
- **Financial:** Loss of revenue through online payment delays; costs associated with implementing emergency payment workarounds.
- **Data Breach:** BridgePay initial findings suggest no payment card data (PCI) or usable data was compromised.
- **Operational:** "Hundreds of municipalities" unable to process business licenses, excise taxes, or utility payments online.
- **Reputational:** High public visibility due to the city website notice and disruption of local government services.
## Indicators of Compromise
- **Host Indicators:** [None disclosed in article]
- **Network Indicators:**
- gateway[.]itstgate[.]com (Production Gateway)
- gatewaystage[.]itstgate[.]com (UAT Environment)
- **Behavioral Indicators:** Sudden loss of API connectivity for BridgePay Gateway and MyBridgePay Portal.
## Response Actions
- **Containment:** Suspension of affected gateway services.
- **Eradication:** Recovery specialists and federal authorities engaged to review the incident.
- **Recovery:** Marietta implemented "secure alternative payment solutions" and resumed in-person payments at City Hall. Priority restoration was given to excise tax payments (Liquor, Hotel/Motel).
## Lessons Learned
- **Supply Chain Vulnerability:** A single failure at a third-party payment provider can paralyze the revenue collection of hundreds of government entities simultaneously.
- **Data Protection:** The fact that accessed files were encrypted likely prevented a more severe data privacy catastrophe.
- **Communication:** Marietta’s prompt public notice (within one week of the provider's outage) helped manage citizen expectations.
## Recommendations
- **Business Continuity:** Maintain a secondary/backup payment processor to avoid single points of failure for critical revenue streams.
- **Vendor Risk Management:** Require SOC2 reports and specific ransomware incident response SLAs from third-party financial service providers.
- **Offline Procedures:** Ensure staff are trained on manual/in-person payment processing during digital outages to maintain operational continuity.