Calgary Parking Authority may have exposed drivers’ personal info through unsecured server

The Calgary Parking Authority left one of its data servers unsecured for months, potentially exposing drivers’ personal information.

The parking authority was made aware of the security lapse, which was originally reported by tech industry news site TechCrunch, on Tuesday.

Alex Paredes, the CPA’s manager of IT and technical services, said in an emailed statement the CPA immediately conducted an investigation and implemented security measures to restrict unauthorized access to the logging server’s data. 

“We at the CPA take cyber security very seriously. Protecting access to our systems and the privacy of our customers is a top priority. We have notified customers who may have been impacted. This issue has been corrected and the data has been secured. We have conducted a thorough investigation and have implemented additional measures to prevent future recurrence,” the statement read. 

The CPA said its investigation determined that the issue dated back to a server being misconfigured on May 13, and that only 12 customers saw their data compromised. 

Paredes said the customers first and last names, email addresses and encrypted passwords would have been accessible if someone had the server’s public-facing IP address and was able to search for the content. 

However, Anurag Sen — a security researcher who found the exposed server and had asked for TechCrunch’s assistance in reporting the lapse to the CPA — wrote on Twitter that he saw more than 100,000 users’ information and that the size of the unsecured server was larger than 500 GB.

For context, a high-definition movie takes up about 5 GB of storage, and text files take up significantly less space. 

TechCrunch reporter Zack Whittaker wrote that the site’s review of the logs found additional information for thousands of drivers, including details of parking offences and postal addresses, and partial payment data. None of the data was encrypted, he reported. 

And Bob Diachenko, another cyber security researcher, tweeted that he had spotted the user data and reported it to the CPA in May, sharing a screenshot of his email to the authority, but said he had not received a response. 

CBC News has not seen or had an opportunity to verify those logs. CBC News has asked the parking authority about the allegation the breach was larger than reported and the parking authority said it is working on a response.

The CPA manages approximately 14 per cent of all paid parking stalls in Calgary on behalf of the city — nearly 6,700 on-street spaces and nearly 10,700 stalls in surface lots and parkades. The authority reports to city council through its board of directors. 

View Source