Data Breach Hits Parking in Chicago, Seattle & Philly

The data-breach scourge has come to a vertical that those of us in cities hold near and dear: parking. 

Parking facility service provider SP+ said that between Sept. 29 and Nov. 10, cybercriminals were able to gain access to payment card data at garages in the Chicago area, Philadelphia and Seattle—including the cardholder’s name, card number, expiration date, and verification code. In total, the incident affected 17 SP+ parking facilities, as detailed in its public notice on the web.

SP+ was alerted to the issue on Nov. 3 when its payment card processor let it know that an “unauthorized person” tapped into certain point of sale (PoS) systems. The perpetrator(s) used a remote access tool (RAT) to connect to the systems and install malware that searched for payment card data that was being routed through the computers that accept payments made at the parking facilities.

SP+ said that it immediately launched an investigation and engaged a computer forensic firm to examine the payment systems in the parking facilities. The malware has been disabled on all affected servers, and SP+ has required that the vendor convert to the use of two-factor authentication for remote access.

It has also notified its payment processor, which is working with credit card companies to provide them with the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted. When banks receive these alerts, they can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.

 “Though SP+ does not have sufficient information to identify whether any specific cards were taken or to mail notification letters to the potentially affected cardholders, SP+ wanted to let its customers know about this incident as soon as it could,” the company said in the notice.

The company has listed the affected facilities and the dates within which the malware would have been active; if a customer used his or her card at one of these locations between the earliest and last at-risk dates, he or she should review his or her account statements for any unauthorized activity regularly. If a customer sees any unauthorized charges, the customer should contact the bank that issued the card. The credit card companies typically guarantee that cardholders will not be responsible for fraudulent charges.

What’s Hot on Infosecurity Magazine?