An investigation conducted by the Calgary Parking Authority,┬аthe city-operated agency that┬аmanages municipal┬аparking services in the city,┬аhas revealed that the personal information of 145,895 customers was exposed for at least┬аtwo months last year.
It’s a revelation that the┬аchair of the cybersecurity program at the Northern Alberta Institute of Technology is calling “shameful” and “negligent.”
“Something like this really shouldn’t happen in┬аIT departments these days,” said┬аJohn Zabiuk.
Last year, the tech industry news site┬аTechCrunch┬аreviewed logs containing contact information such as┬аdriver’s full names, dates of birth, phone numbers, email addresses and postal addresses.┬а
The CPA initially said┬аonly 12 customers had┬аtheir data compromised. But on Monday, it confirmed that figure was well over 100,000.
“I’d like to offer an apology for our customers of the Calgary Parking Authority whose data was exposed through this incident,” said Chris Blaschuk, the interim general manager at the CPA.┬а
“We’ve done a forensic investigation and determined there were various pieces of information that were potentially at risk.”
The breach involved an unsecured online logging server that could be accessed if individuals knew its┬аpublic-facing IP address.
The parking authority said the data was exposed between May 13 and July 27, though TechCrunch reported last year that it had viewed logs dating back to at least the start of 2021. CBC┬аNews has not viewed those logs.
The parking authority was made aware of the security lapse in late July 2021 and said it secured the information within 20 minutes of becoming aware of the incident.
The CPA couldn’t say whether or not any external parties had accessed the data, adding its monitoring has not indicated that it has been used in any sort of way to this point. It has also obtained a “Cyber Secure Canada Certification.”
“Part of the investigation determined there was a human error element involved in exposing the server,”┬аBlaschuk said.┬а“So we’ve definitely increased our checks and balances with our internal processes for establishing things such as virtual servers.”
Security implications
The NAIT cybersecurity expert┬аsaid the incident raises a number of concerns for Calgarians, particularly given how accessible the data was.
“You wouldn’t necessarily just have to have the IP address specifically told to you, or found somewhere on a deep, dark forum,” Zabiuk said.
There are a lot of applications that can be used to scan the internet to look for open ports or IP addresses that are responding, Zabiuk said, to determine which ports are responding back on those IP addresses, which indicate a server or a workstation behind them.
“These scans are happening 24/7, all the time, on the internet. Any kid that takes a course and downloads a particular software package┬атАж┬аthey can scan the entire internet. And it’s happening all the time. So to not be aware of something like that happening,┬аand┬аto leave a server exposed like that, it really comes down to negligence.”
Zabiuk said that poses serious implications, given the information such as dates of birth, driver’s licence information and other personal data exposed in the breach.
“People could use that information to register a vehicle under your name┬атАж or just looking up your licence plate number to find out where you live,” he said.┬а
“If you did receive a ticket in that time frame, you’d definitely want to keep an eye on things and maybe looking at perhaps getting a new licence number.”
