New details on the cyberattack that befell the city-operated municipal parking services agency Calgary Parking Authority (CPA) reveal that the data of hundreds of thousands of customers were potentially exposed.
Earlier this week, CPA interim general manager Chris Blaschuk confirmed that a vulnerability on one of its servers exposed the information of 145,895 customers, despite an earlier statement saying that only 12 customers had their data compromised.
"I'd like to offer an apology for our customers of the Calgary Parking Authority whose data was exposed through this incident," Blaschuk said in a statement, adding that the CPA conducted a forensic investigation which determined that there were “various pieces of information that were potentially at risk."
Last year, it was found that CPA had left a logging server without a password, which allowed anyone to access the network for as long as they knew its public-facing IP address. The security research firm Anurag Sen first detected the vulnerability, and then reached out to TechCrunch to help report the potential breach to the CPA.
Upon TechCrunch’s review of the logs recorded on the server, it was found that customers’ information, such as their names, birthdates, phone numbers, email addresses, postal addresses, and even parking ticket/offences data was exposed. The parking details also gave out customers’ license plate information and vehicle descriptions. Most worrying is that the logs also contained partial card payment numbers and expiry dates.
A CPA spokesperson last year confirmed that the server in question was exposed since May 13, 2021, and that the agency had secured the information within 20 minutes of discovering the vulnerability. But TechCrunch said that the server had records dating back to at least the start of 2021.
At present, the CPA could not say whether any external parties had accessed the data. The agency also gave assurances that its monitoring has not yet uncovered if any of the exposed personal data had been used, CBC News reported.
"Part of the investigation determined there was a human error element involved in exposing the server," said Blaschuk. "So we've definitely increased our checks and balances with our internal processes for establishing things such as virtual servers."