Airport Parking Companies: We Were Breached

Two online airport parking services have confirmed that they suffered payment card data breaches in December, Krebs on Security reported on Wednesday (Jan. 14).

Park ‘N Fly previously said it hired multiple security firms to investigate breach claims after credit-card numbers apparently used at its locations showed up on cybercrime sites. But in a statement this week the Atlanta-based company confirmed its e-commerce site was hacked and leaking credit-card data, but didn’t say how long the break lasted or how many customers were affected.

Park ‘N Fly “has been working continuously to understand the nature and scope of the incident, and has engaged third-party data forensics experts to assist with its investigation,” the statement said. “The data potentially at risk includes the card number, cardholder’s name and billing address, card expiration date, and CVV code. Other loyalty customer data potentially at risk includes email addresses, Park ‘N Fly passwords, and telephone numbers.”

Park ‘N Fly has also stopped processing transactions online and is directing customers to a toll-free number to make parking reservations.

A Park ‘N Fly competitor has also been breached. Researcher Brian Krebs reported in late December that OneStopParking.com, an online airport-parking company based in suburban Cincinnati, had also probably suffered a card data breach. On Wednesday the company confirmed that hackers had broken into its systems through a vulnerability for which patches were available, but the company hadn’t applied because the fixes broke portions of its e-commerce site.

OneStopParking.com said it is in the process of notifying affected customers.

The stolen card numbers for both parking companies were being sold in batches with prices ranging from $6 to $9 per card, and included the card number, expiration date, 3-digit card verification code, and the cardholder’s name, address and phone number.

In both cases, the companies’ disclosures of the breaches would have been consistent with the proposed federal data breach notification law that the White House called for on Monday (Jan. 12). That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.