Calgarys parking dominance exposed drivers personal data and tickets
Zack Whittaker@zackwhittaker / 10:00 am CDT"July 28, 2021
Grunge parking lot
Image Credits: Samaro (opens in a new window)/ Getty Images
If you parked your car in one of the thousands of parking spots across Calgary, theres a good gamble you paid the Calgary Parking authority for the privilege. But soon you mightiness be audience from the authority after a recent certificate lapse exposed the personal info of vehicle owners.
The parking authority oversees about 14% of the paid parking spots in the Calgary region, and lets drivers pay to green their cars by a parking kiosk, online, or through the phone app by entering their vehicles permission scale number and payment details.
But a logging server used to monitor the authoritys parking system for bugs and errors was left on the internet without a password. The server contained computer-readable technical logs, but also real-world events like payments and parking tickets that contained a drivers personal information.
A brushup of the logs by TechCrunch found contact information, like drivers full names, dates of birth, phone numbers, email addresses and postal addresses, as well as details of parking tickets and parking offenses which included permission plates and vehicle descriptions and in some cases the location data of where the alleged parking offense took place. The logs also contained some partial card payment numbers and expiry dates.
None of the data was encrypted.
Because the servers data was entangled with logs and other computer-readable data, its not known exactly how many multitude had their info exposed by the security lapse. (In 2019, the Calgary Parking potency issued more than 450,000 parking tickets, up by 69% in fivesome years.)
Security researcher Anurag Sen found the exposed server and asked TechCrunch for help in reporting it to its owner. The server was secured on Tuesday, a day after TechCrunch contacted the authority.
A spokesperson for the authority confirmed that the server was exposed since may 13, though data seen by TechCrunch shows records dating back to at least the scratch of the year. The authorization also told TechCrunch that the exposure was due to human error and that it was investigating its logs to determine if anyone else had access to the server.
We at the CPA read this very seriously, Moe Houssaini, the acting general coach for the Calgary Parking Authority, told TechCrunch in a statement. Any public access has been disabled and we are actively investigating to see what exact data was impacted and what unauthorized access may get occurred. We excuse to our customers and will live reaching out to all individuals who may have been impacted. Protecting the security of our systems and privacy of our customers is a whirligig antecedence of the CPA. It was an isolated error, and the database has now been secured. We are reviewing our procedures to ensure that this does not hap again.
The Calgary Parking authorization recently made headlines after it canceled more than a thousand parking tickets for drivers who were attendance a COVID-19 vaccination heart in the city.
Earlier this year, New York-based cashless parking startup ParkMobile reported a data transgress that saw personal account information and permission plates on some 21 zillion customers taken by hackers. The troupe blamed the breach on a vulnerability in an unspecified piece of third-party software.