In total, CPA exposed 502 GB worth of data without any security authentication.
Anurag Sen, a security researcher identified a data leak in which a server belonging to the Calgary Parking Authority (CPA) was found exposing the private information of thousands of drivers across Calgary, including some user passwords.
It is worth noting that CPA oversees around 14% of the region’s paid parking spots and allows drivers to park their cars after paying the charges and booking a spot online or via the phone app where they are required to enter their payment details and vehicle’s license plate number.
The incident reminds us of ParkMobile’s data breach in which hackers stole the parking app data and leaked over 21 million user records stolen online.
About Exposed Data?
Sen, who first identified the exposed server during a web mapping project, told Hackread.com the data includes a wide range of personal information such as:
- Full names
- Email addresses
- Dates of birth
- Vehicle details
- Parking ticket details.
Moreover, Sen revealed that the data also included partial card information, including CVV and expiry date, access tokens, some of which contained passwords and payment details.
Sen further noted that the server got exposed because it wasn’t protected with a password meaning anyone with the server URL could access it.
Over 500 GB of Data Exposed
The exposed server was 502 GB in size and contained data/records of more than 100,000 users. Sen also shared some screenshots of the server contents with Hackread.com. What’s worse is that the data was left unencrypted, which is a blatant security lapse.
In a statement, CPA’s spokeswoman, Christina Casallas said that,
“The CPA verified the issue and implemented additional security measures to restrict unauthorized access to the data. Protecting the security of our systems and the privacy of our customers is a top priority of the CPA. Additional security measures have been applied to prevent future recurrence, and ongoing recommendations from our security investigation will be implemented.”
On the other hand, another security researcher Bob Diachenko tweeted a screenshot of an email he sent to CPA on May 24 to notify the authority about the security breach, but he claims that he didn’t receive any response. Nevertheless, Alberta’s Office of the Privacy Commissioner has been informed about the breach.