Just another day in the wild wild west that they call the internet. It seems that a popular mobile parking app called ParkMobile is suffering from a data breach that is allowing someone to sell personal information related to 21 million customers of the app. These customers use ParkMobile to find open parking spots and pay for them without having to run to the parking meter every few minutes.
21 million ParkMobile customers have some of their sensitive personal data up for sale
According to Krebs, “Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data. Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade.”
On March 26th, ParkMobile notified subscribers that it had detected “a cybersecurity incident linked to a vulnerability in a third-party software that we use. In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident. Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.”
ParkMobile was able to tell concerned users that no credit card information was stolen. In a statement, the company said, “Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”
Giving ParkMobile more incentive to improve its security, on March 9th, European parking firm EasyPark, which offers a similar service as ParkMobile provides, offered to buy the latter. ParkMobile is the top parking app in North America with 22 million users and a presence in 450 U.S. cities.
The information taken from ParkMobile’s customers was offered for sale at the price of $125,000. Krebs believes that this is too high a price for a cybercriminal to pay for data offered by someone without a reputation online and could keep the data from getting bought.
Our investigation has confirmed that basic user information – license plate numbers and, if provided by the user, email addresses and/or phone numbers, and vehicle nicknames – was accessed. In a small percentage of cases, mailing addresses were affected. No credit cards or parking transaction history were accessed, and we do not collect Social Security numbers, driver’s license numbers, or dates of birth.
Please rest assured we take seriously our responsibility to safeguard the security of our users’ information and appreciate your continued trust.”
To reiterate, if you are a ParkMobile customer, you might want to change all of your passwords. If that is too much work for you, at least change the passwords you use on other apps that copy the one you use for the ParkMobile app.