Calgary Parking investigation reveals more than 145,000 customers exposed during data breach

An investigation conducted by the Calgary Parking Authority,the city-operated agency thatmanages municipalparking services in the city,has revealed that the personal information of 145,895 customers was exposed for at leasttwo months last year.

It's a revelation that thechair of the cybersecurity program at the Northern Alberta Institute of Technology is calling "shameful" and "negligent."

"Something like this really shouldn't happen inIT departments these days," saidJohn Zabiuk.

Last year, the tech industry news siteTechCrunchreviewed logs containing contact information such asdriver's full names, dates of birth, phone numbers, email addresses and postal addresses.

• Calgary Parking to conduct forensic investigation after security lapse exposed drivers' info

The CPA initially saidonly 12 customers hadtheir data compromised. But on Monday, it confirmed that figure was well over 100,000.

"I'd like to offer an apology for our customers of the Calgary Parking Authority whose data was exposed through this incident," said Chris Blaschuk, the interim general manager at the CPA.

"We've done a forensic investigation and determined there were various pieces of information that were potentially at risk."

The breach involved an unsecured online logging server that could be accessed if individuals knew itspublic-facing IP address.

The parking authority said the data was exposed between May 13 and July 27, though TechCrunch reported last year that it had viewed logs dating back to at least the start of 2021. CBCNews has not viewed those logs.

The parking authority was made aware of the security lapse in late July 2021 and said it secured the information within 20 minutes of becoming aware of the incident.

The CPA couldn't say whether or not any external parties had accessed the data, adding its monitoring has not indicated that it has been used in any sort of way to this point. It has also obtained a "Cyber Secure Canada Certification."

"Part of the investigation determined there was a human error element involved in exposing the server,"Blaschuk said."So we've definitely increased our checks and balances with our internal processes for establishing things such as virtual servers."

Security implications

The NAIT cybersecurity expertsaid the incident raises a number of concerns for Calgarians, particularly given how accessible the data was.

"You wouldn't necessarily just have to have the IP address specifically told to you, or found somewhere on a deep, dark forum," Zabiuk said.

There are a lot of applications that can be used to scan the internet to look for open ports or IP addresses that are responding, Zabiuk said, to determine which ports are responding back on those IP addresses, which indicate a server or a workstation behind them.

"These scans are happening 24/7, all the time, on the internet. Any kid that takes a course and downloads a particular software packagethey can scan the entire internet. And it's happening all the time. So to not be aware of something like that happening,andto leave a server exposed like that, it really comes down to negligence."

Zabiuk said that poses serious implications, given the information such as dates of birth, driver's licence information and other personal data exposed in the breach.

"People could use that information to register a vehicle under your name or just looking up your licence plate number to find out where you live," he said.

"If you did receive a ticket in that time frame, you'd definitely want to keep an eye on things and maybe looking at perhaps getting a new licence number."