Data Breaches in the Parking Industry
In many cities in the United States, the days of struggling to find enough quarters to insert into a parking meter and sprinting back to your car before the meter runs out are a thing of the past. Instead, parking apps such as ParkMobile make it easy to pay for parking by phone and add additional time as needed. However, these apps expose consumers to new challenges, one of which is the risk of a data breach.
As our society becomes increasingly more dependent on technology, cyber criminals are constantly changing the tactics they use to access consumers’ data and use it for malicious purposes. There is a lot we can learn from breaches that have already occurred. Businesses and consumers alike must do their part to prevent cyber attacks.
March 2021 ParkMobile Breach
In March of 2021, a cybersecurity firm discovered that data for 21 million ParkMobile customers was listed for sale on a Russian language crime forum. The information included basic account information such as phone numbers, email addresses, and license plate numbers. Fortunately, it did not include credit card information, and the passwords the hackers obtained were hashed so they could not be decrypted.
ParkMobile is the most widely used parking platform in the industry. They offer a white labeling service, which allows companies to use their own branded parking app or website powered by ParkMobile, such as Park NYC or Park It Charlotte. This is a common practice in many industries, but it means that some users may not have even been aware which companies had access to their data in the first place.
Regulatory requirements for data breaches are determined by the state where the affected individual resides. Even though ParkMobile is based in Georgia, ParkMobile operates in 41 states and the District of Columbia. Since they service many large cities with high amounts of tourism, it is possible that this data breach affected individuals from all 50 states as well as multiple countries.
Things That Went Well
There are several things that ParkMobile did well that prevented hackers from obtaining even more information.
- ParkMobile’s adopts a philosophy to only collect the minimum amount of data necessary. This means that they don’t request driver’s license numbers, birth dates, or social security numbers, personal data that is not required to provide them the ParkMobile service.
- They also utilize a robust password hashing algorithm called bcrypt. Although the hackers did access passwords in the database, ParkMobile doesn’t store the salt values, therefore no one would be able to utilize the passwords.
- ParkMobile launched an investigation immediately upon learning about the data breach and notified law enforcement.
- ParkMobile notified customers of the breach and advised everyone to change their passwords as a best practice, even though the hackers likely did not have access to them.
These practices are important for all businesses to follow to prevent data breaches and reduce the impact if they do occur.
Areas for Improvement
Sometimes, breaches can happen even if you do everything right. It is important for companies to have a strong privacy and security program that not only works to prevent data breaches, but also limits the type of data that may be accessed in the event there is a breach.
In most industries that involve transactions with customers, there are multiple layers of vendors involved. For example, the city of Annapolis, MD contracts with a company called SP+ to manage parking for the city. In turn, SP+ contracts with ParkMobile and utilizes their app to manage payments for metered parking. In the security notification that ParkMobile sent to customers, they identified a vulnerability in a third-party software as the main cause of the data breach.
It is crucial for both parking operators and software providers to fully vet any programs and third-party solutions they utilize and clearly understand what the impact is to customer data. Parking operators should perform reviews and audits of the vendors that hold personal information to ensure they are abiding by equal privacy and security standards that they publish to their customers and/or employees. These reviews should be conducted year after year to ensure their contractors are still meeting high standards of cybersecurity and privacy. According to Help Net Security, only 23 percent of organizations monitor all suppliers, which likely contributes to the high rate of data breaches we see today.
Some steps parking operators can take to vet third-party vendors include:
- Understand the service provided and the level of access the vendor will have to data
- Perform an annual privacy and security assessment on vendors that has access to personal or sensitive data
- Review vendors to learn about the vendor’s hiring practices, industry certifications, data security policies, encryption, and their own process for vetting third-party vendors that they utilize prior to using their solution
- Request for certifications such as SOC 2, ISO 27001, and PCI Attestations of Compliance
Understanding these details about third-party vendors can go a long way in selecting vendors that take cyber security seriously.
How Does a Data Breach Impact the Affected Company?
Data breaches can impact companies in a variety of ways, including lost revenue due to website or app downtime after a breach, loss of trust from consumers, loss of intellectual property, and hidden costs such as legal fees or regulatory fines.
One of the main challenges ParkMobile is facing after the March 2021 data breach is a class action lawsuit, which alleges that ParkMobile did not follow basic security procedures and put their customers at risk for identity theft and fraud. The plaintiffs report that they have spent considerable time and money trying to prevent further harm now that their data is available on the dark web. Since all 21 million impacted customers can join the class action lawsuit, ParkMobile could end up having to pay out a substantial amount of settlement money.
For reference, other large companies have paid out multi-million-dollar settlements for data breaches in recent years. Some of the highest settlements include:
- Home Depot ($200 Million)
- Capital One ($190 Million)
- Uber ($148 Million)
- Morgan Stanley ($120 Million)
- Yahoo ($85 Million)
Since lawsuit settlements are only one part of the financial impact a security breach can have on a company, it is well worth investing money to prevent security breaches in the first place.
How Does a Data Breach Impact Consumers?
In addition to the impact a data breach has on companies, these cyber-attacks cause added stress for consumers and can leave them vulnerable to additional cybersecurity issues. Some of the main ways a data breach harms consumers includes:
- Time spent changing passwords
- Expense of monitoring accounts
- Time spent monitoring accounts for unusual activity
- Time spent freezing credit cards
- Heightened feeling of vulnerability and fear of potential malicious use of personal data
- Loss of trust in a corporation’s ability to protect private data
Data breaches have become so common that some consumers disregard notifications of yet another data breach. The effects of a data breach on the consumer may not be evident at first, but over time, the amount of data that cyber criminals have access to on any given individual can add up,
In the past, identity theft was the most common threat with data breaches. Although this still happens, there are many more safeguards in place to prevent identity theft and punish criminals who successfully steal someone else’s identity. Because of this, cyber criminals are constantly looking for new ways to exploit vulnerabilities to obtain passwords and money.
Phishing is one of the major ways cyber criminals get paid. Most people are familiar with typical phishing scams. For example, a Nigerian prince sends an email saying he has millions of dollars he needs to transfer overseas, and if you just provide your bank account information, you’ll get a share of his treasure. The old saying “If it seems too good to be true, it probably is” is applicable here. However, phishing has become more targeted in recent years, and even people who are tech savvy and vigilant about security sometimes fall for the scams.
I believe a big tactical change for cyber criminals will be contacting people via SMS, or text message, instead of email. This practice, known as smishing, takes advantage of the idea that these days, many people trust a text message more than an email.
Develop your Privacy and Security Program
ParkMobile considers themselves to be the leading provider of parking solutions in the county, but a similar data breach could happen to any company large or small. It is possible to prevent many data breaches and mitigate the effects if a breach does occur.
Parking operators should vet their vendors and manage them regularly to ensure they keep high data security standards. In addition, they should review the data that is being collected or transferred to these vendors to determine the amount of third-party exposure they may be allowing. Risk is a part of business, but every business must analyze their risk and decide if the risk is acceptable or too high.
All companies should review data security policies regularly with their teams and provide regular training. Since the nature of cybercrime changes so rapidly, frequent training with updated protocols can empower employees to stay on top of the latest threats and make wise decisions that will help protect your company from data breaches.