More than 145,000 affected by parking database breach
The Calgary Parking Authority is apologizing after the personal information of more than 145,000 customers was exposed in a security breach last year.
The authority said in a Monday news release it has wrapped up an investigation alongside the City of Calgary and a third-party cybersecurity expert.
That investigation found the personal information of 145,895 customers was accessible during the breach, which was made public in July 2021. Those data included full names, emails, usernames, vehicle information, addresses and ticket information.
The city said it didn't identify other sensitive information, like passwords or credit card details, when investigating the breach.
It added there's been no evidence of further breaches or misuse of the exposed personal information after the privacy lapse was fixed.
“This was an unfortunate, isolated incident; however, we have worked closely with our partners to strengthen our cybersecurity protections and mitigate incidents of a similar nature from occurring in the future,” said the parking authority's interim general manager Chris Blaschuk in a statement. “We believe there is a low risk that the elements of personal information may be further exposed. We continue to monitor the situation closely. We sincerely appreciate your understanding and regret any distress this incident may have caused.”
The authority said it has obtained cybersecurity certification after implementing additional security measures.
It said the breach was secured within 20 minutes after the organization became aware data was accessible to external parties.
Postmedia spoke with the cybersecurity researcher who found the breach last year. Anurag Sen said he found the exposed data while doing a routine web mapping project. He charged a parking authority database was accessible online without password protection or encryption, visible to anyone with its web URL.
The exposed data was publicly accessible from May 13, 2021 to July 27, 2021, the city said.
A second cybersecurity consultant tweeted he had reported the breach to the authority in late May, but the authority said it didn't receive that report.
The city said cybersecurity inquiries related to the authority can now be directed to Reportcybersec@calgaryparking.com.