Stanislav Alforov spends his days scanning the dark web for unusual patterns — the result of credit card and other sensitive financial information being sold by criminals.

In November, he saw one of those patterns emerging when his staff discovered batches of personal information and credit cards from Saint John being offered for sale online.

Alforov is the man responsible for protecting numerous financial institutions from online theft.

The director of research for the cybersecurity firm Gemini Advisory, based in New York, helps reduce losses for those clients by employing a team of experts to comb the dark web for criminal activity.

"We're able to identify a lot of these breaches before any else has," said Alforov in an interview with CBC.

But the breach he identified in November didn't involve a bank or credit union. It didn't involve a single local institution. The breach had spread to dozens of municipalities across North America that use click2gov software to allow clients to pay their bills online.

In the case of Saint John, it was the server used to collect parking fines that had been hacked.

"We saw large pockets of data coming from Saint John but we'd also see some additional zip codes heading from [municipalities] around it," said Alforov. "Immediately that kind of alerted us. It said hey, this is very much out of pattern and let's look a little bit further into this."

Alforov says more than 6,000 credit card numbers from Saint John and nearby municipalities were sold along with information from click2gov servers in 46 American cities.

Alforov says in mid-November he took the information to CentralSquare Technologies, the Florida company that owns click2gov software, but found they were not very co-operative.

On Nov. 18 Alforov issued an online advisory titled "Dozens of municipalities exposed in Click2gov software compromise."

The response in some cases was outright skepticism.

After Saint John officials read the story three days later, they contacted Alforov saying they had "concerns about the accuracy" of the information he released.

He responded by sending them an email file with the names of 4,600 city residents whose stolen credit card information had been sold online over a 16-month period.

"Local municipalities don't exactly have the most robust security system running on their internal servers," said Alforov, who suggests a safer route would be allow a third-party company like click2gov store the information in the cloud.

Correspondence with the security expert is among more than 700 pages of city of Saint John documents released to CBC under Right to Information legislation.

Those documents also suggest the number of New Brunswickers whose personal information was stolen may be much higher than thought.

A Jan. 2 internal email written by Saint John Parking Commission director of operations Marc Dionne indicates as many as 14,000 people may have been impacted by the breach.

A letter sent by the city Jan. 8 to people who were potentially affected said the number could be as high as 10,000.

In a statement, a city spokeswoman says it was not possible to determine which customers had their credit card information stolen.

