The company that provides the cashless parking app used in Annapolis, Baltimore and other cities has said a data breach in March compromised users’ personal information.
Atlanta-based ParkMobile provided details of the breach in an email to customers on May 24, weeks after an online tech columnist reported that the personal data of 21 million customers were being sold online by Russian hackers.
“In March, ParkMobile became aware of a cybersecurity incident linked to a vulnerability in a third-party software which we use,” the company wrote in its email. ”In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident.”
The company said no credit card information or parking history was accessed, and while the hack did get to encrypted passwords, the keys to unlock the passwords were not reached.
ParkMobile said it has closed the breach and notified the appropriate law enforcement authorities. It said customers should check their passwords to make sure they follow recommended security tips but stopped short of recommending a change. The email included a link to the company website for changing ParkMobile passwords.
SP+, the company that runs parking meters and garages in Annapolis, began using the ParkMobile APP in 2019. At the time ParkMobile was used by more than 13 million people in North America, including Baltimore, Washington, Bethany Beach, Ocean City and Towson. The company calls itself the most widely used parking app in the United States.
By last spring, the app was being used approximately 12,500 times per month in Annapolis, the city announced.
A spokesperson for SP+ deferred comments to ParkMoble on Sunday. There was no information about the breach posted on the Annapolis Parking website.
The Evening Sun
According to tech columnist Brian Krebs, who runs the website KrebsonSecurity, the stolen data included customer email addresses, phone numbers, license plate numbers, mailing addresses and “hashed passwords.” was being sold online shortly after the breach.
Krebs, a former Washington Post reporter, wrote that he learned about the break from Gemini Advisory, a private intelligence firm that monitors cybercrime forums. Gemini identified a thread on a Russian-language forum that included ParkMobile account information, he wrote.
Among the accounts visible in a screenshot of the information for sale was Krebs’ own account with ParkMoble.
“Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade,” he wrote.
In a statement posted to its website on April 15, ParkMobile said that its own probe of the data breach revealed license plate numbers, email addresses and phone numbers had been compromised, but that no credit card information was accessed.
The company said it sent a security notice about the breach to customers on March 26.
A spokesman for ParkMobile could not be reached for comment Sunday.