Calgary Parking investigation finds over 145,000 customers exposed in data breach

An investigation by the Calgary Parking Authority, the city-run agency that manages city ​​parking services, revealed that the personal information of 145,895 customers was exposed for at least two months last year.

It’s a revelation that the chair of the Northern Alberta Institute of Technology’s cybersecurity program calls « shameful » and « negligent. »

« Something like this really shouldn’t happen in IT today, » said John Zabiuk.

Last year, tech industry news site TechCrunch reviewed logs containing contact information such as driver’s full names, dates of birth, phone numbers, email addresses and postal addresses.

The CPA initially said only 12 customers had their data compromised. But on Monday he confirmed that figure was well over 100,000.

“I would like to apologize to our customers at the Calgary Parking Authority whose data was exposed in this incident,” said CPA Acting Chief Executive Chris Blaschuk.

« We conducted a forensic investigation and determined that various information was potentially at risk. »

The breach involved an insecure online logging server accessible if individuals knew its public IP address.

The parking authority said the data was exposed between May 13 and July 27, although TechCrunch reported last year that it looked at logs dating back to at least early 2021. CBC News does not did not consult these newspapers.

The parking authority was notified of the security failure in late July 2021 and said they had secured the information within 20 minutes of becoming aware of the incident.

The CPA could not say whether or not external parties had accessed the data, adding that its monitoring did not indicate that it had been used in any way so far. It has also obtained a “Cyber ​​Secure Canada certification”.

“Part of the investigation determined that there was an element of human error involved in the server exposure,” Blaschuk said. « So we’ve definitely increased our checks and balances with our internal processes to establish things like virtual servers. »

Security implications

The NAIT cybersecurity expert said the incident raises a number of concerns for Calgarians, especially given the accessibility of data.

« You wouldn’t necessarily need to be told the IP address specifically, or find it somewhere on a deep, dark forum, » Zabiuk said.

Many apps can be used to scan the Internet for open ports or responding IP addresses, Zabiuk said, to determine which ports are responding on those IP addresses, which point to a server or workstation behind them. .

« These scans are happening 24/7, all the time, on the internet. Any kid who takes a course and downloads a particular piece of software…they can scan the whole internet. And it’s happening all the time. So, to not be aware of something like this happening, and leaving a server exposed like this, is really negligent. »

Zabiuk said this has serious implications, given information such as dates of birth, driver’s license information and other personal data exposed in the breach.

« People could use this information to register a vehicle under your name…or just look up your license plate number to find out where you live, » he said.

« If you received a ticket within that timeframe, you would definitely want to keep an eye on things and perhaps consider getting a new license number. »