If you parked your car in one of the thousands of parking spots across Calgary, there’s a good chance you paid the Calgary Parking Authority for the privilege. But soon you might be hearing from the authority after a recent security lapse exposed the personal information of vehicle owners.
The parking authority oversees about 14% of the paid parking spots in the Calgary region, and lets drivers pay to park their cars by a parking kiosk, online, or through the phone app by entering their vehicle’s license plate number and payment details.
But a logging server used to monitor the authority’s parking system for bugs and errors was left on the internet without a password. The server contained computer-readable technical logs, but also real-world events like payments and parking tickets that contained a driver’s personal information.
A review of the logs by TechCrunch found contact information, like driver’s full names, dates of birth, phone numbers, email addresses and postal addresses, as well as details of parking tickets and parking offenses — which included license plates and vehicle descriptions — and in some cases the location data of where the alleged parking offense took place. The logs also contained some partial card payment numbers and expiry dates.
None of the data was encrypted.
Because the server’s data was entangled with logs and other computer-readable data, it’s not known exactly how many people had their information exposed by the security lapse. (In 2019, the Calgary Parking Authority issued more than 450,000 parking tickets, up by 69% in five years.) However, TechCrunch has seen evidence that at least thousands of customers are affected, though the total number of affected customers is likely to be higher.
Security researcher Anurag Sen found the exposed server and asked TechCrunch for help in reporting it to its owner. The server was secured on Tuesday, a day after TechCrunch contacted the authority.
Christina Casallas, a spokesperson for the authority confirmed that the server was exposed since May 13, though data seen by TechCrunch shows records dating back to at least the start of the year. The authority also told TechCrunch that the exposure was due to human error and that it was investigating its logs to determine if anyone else had access to the server.
“We at the CPA take this very seriously,” Moe Houssaini, the acting general manager for the Calgary Parking Authority, told TechCrunch in a statement. “Any public access has been disabled and we are actively investigating to determine what exact data was impacted and what unauthorized access may have occurred. We apologize to our customers and will be reaching out to all individuals who may have been impacted. Protecting the security of our systems and privacy of our customers is a top priority of the CPA. It was an isolated error, and the database has now been secured. We are reviewing our procedures to ensure that this does not happen again.”
The Calgary Parking Authority recently made headlines after it canceled more than a thousand parking tickets for drivers who were attending a COVID-19 vaccination center in the city.
Earlier this year, New York-based cashless parking startup ParkMobile reported a data breach that saw personal account information and license plates on some 21 million customers taken by hackers. The company blamed the breach on a vulnerability in an unspecified piece of third-party software.
- Geico admits fraudsters stole customers’ driver’s license numbers for months
- Metromile says a website bug let a hacker obtain driver license numbers
- ICE mined driver’s license photos for facial recognition
- Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ details
You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.