Calgary Parking Authority Data Breach: Driver Information Exposed

Calgary Parking Authority Data Breach Exposes Vehicle Owner Information

Individuals who have utilized parking services managed by the Calgary Parking Authority may be affected by a recent data security incident. A significant lapse in security protocols has potentially exposed the personal details of vehicle owners who have paid for parking across Calgary.

Scope of the Calgary Parking Authority’s Operations

The Calgary Parking Authority manages approximately 14% of all paid parking locations within the Calgary area. Drivers typically settle parking fees through parking kiosks, online platforms, or a dedicated mobile application, providing their vehicle’s license plate number and payment information during the process.

Details of the Security Vulnerability

A server responsible for logging activity within the parking authority’s system – used for identifying and resolving bugs and errors – was inadvertently left accessible on the internet without password protection. This server contained not only technical logs, but also records of real-world transactions, including payments and parking citations, which held sensitive driver information.

TechCrunch’s investigation of these logs revealed the exposure of contact details such as full names, dates of birth, phone numbers, email addresses, and postal addresses. Furthermore, details pertaining to parking tickets and violations – including license plate numbers, vehicle descriptions, and the locations of alleged infractions – were also compromised.

Critically, the exposed data was not protected by encryption.

Extent of the Data Exposure

Determining the precise number of individuals impacted by this security breach is challenging due to the intermingling of data with system logs. However, considering the Calgary Parking Authority issued over 450,000 parking tickets in 2019 – a 69% increase over five years – the number of affected customers is likely substantial. Evidence suggests at least thousands of customers have been impacted.

Discovery and Remediation

The unsecured server was discovered by security researcher Anurag Sen, who then contacted TechCrunch for assistance in notifying the authority. The server was subsequently secured on Tuesday, following contact from TechCrunch.

Calgary Parking Authority’s Response

Christina Casallas, a spokesperson for the authority, confirmed the server was exposed since May 13th, although TechCrunch’s analysis of the logs indicates records dating back to the beginning of the year. The authority attributes the exposure to human error and is currently reviewing its logs to ascertain if unauthorized access occurred.

Moe Houssaini, the acting general manager, stated, “We at the CPA take this very seriously. Any public access has been disabled and we are actively investigating to determine what exact data was impacted and what unauthorized access may have occurred. We apologize to our customers and will be reaching out to all individuals who may have been impacted. Protecting the security of our systems and privacy of our customers is a top priority of the CPA. It was an isolated error, and the database has now been secured. We are reviewing our procedures to ensure that this does not happen again.”

Recent Related Incidents

The Calgary Parking Authority recently garnered attention for rescinding over a thousand parking tickets issued to individuals attending a COVID-19 vaccination center.

Earlier this year, ParkMobile, a New York-based cashless parking startup, experienced a data breach affecting approximately 21 million customers, with hackers gaining access to personal account information and license plate details. The company cited a vulnerability in third-party software as the cause.

Further Information

Read more:

• Geico admits fraudsters stole customers’ driver’s license numbers for months
• Metromile says a website bug let a hacker obtain driver license numbers
• ICE mined driver’s license photos for facial recognition
• Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ details

Secure communication channels are available via Signal and WhatsApp at +1 646-755-8849. Files and documents can also be submitted using our SecureDrop.