This week, two different parking companies confirmed what had previously been suspected since last month: representatives for Park 'N Fly and OneStopParking both admitted that hackers managed to steal customer financial data from their payment systems.
Park 'N Fly Canada is a separate, unaffiliated company and was not affected by the breach, a spokesman said.
Security expert Brian Krebs, whose financial-industry sources first told him about the possibility of such breaches last month, noted this week that, although Park 'N Fly representatives in mid-December had initially denied finding any proof of criminal intrusion into their systems, a month later they said something else. On Jan. 13, with little fanfare, Park 'N Fly released a “Security Update” on its website, admitting that the company “has become aware of a security compromise involving payment card data processed through its e-commerce website” and “some data from certain payment cards that were used to make reservations through PNF’s e-commerce website is at risk,” including:
the card number, cardholder’s name and billing address, card expiration date, and CVV code. Other loyalty customer data potentially at risk includes email addresses, Park ‘N Fly passwords, and telephone numbers.
As of press time, Park 'N Fly's main homepage currently is not processing transactions, but directs customers to a 1-800 number if they wish to make reservations:
We apologize for the inconvenience but we are performing some system maintenance on our website and are unable to process your transaction.
The company has not yet said how long the breach actually lasted. Krebs also spoke to a representative of OneStopParking, who confirmed a breach:
Reached via phone [on Jan. 14], the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.
Oops. The stolen customer data is illicitly being offered for sale at the same online underground crime shop that previously handled information stolen in breaches at Home Depot, Target, Sally Beauty Supply, P.F. Chang's and Harbor Freight.