Introduction
Park’N Fly is a popular airport parking service that experienced a data breach between July 11 to July 13, 2024. This company operates in several cities in Canada such as Ottawa, Montreal, Halifax, Edmonton, Toronto, Winnipeg, and Vancouver. The level of compromise was announced much later in August 2024, disclosing that about 1 million customer files were compromised and unauthorized access was gained.
This notice was provided to the customers, informing them that personal information such as names, email addresses, mail addresses, and Aeroplan and CAA numbers were exposed in this breach, however, it was stated that no payment information was involved in the breach. This event emphasizes the importance of having appropriate measures in place to protect customer data.
Details of the Breach
Companies that process high levels of customer data including data as sensitive as payment card information which is subject to PCI DSS (Payment Card Industry Data Security Standard), must have a strong security posture to protect data. Although payment information was not compromised, the level of PII (Personally Identifiable Information) compromised is huge under a wide number of privacy laws such as the FOIP Act, PIA, PIPA, PIPEDA, etc.
Looking at how the breach occurred, an adversary breached Park’N Fly’s networks through a remote VPN during the time frame mentioned above. It is also important to note that the platforms and services were restored within 5 days after the incident. This shows the importance of business continuity and incident management procedures as it would’ve been almost impossible to recover from the breach with these areas lacking.
The organization took active measures to identify the root cause and determine the level of damage caused which was followed by promptly notifying the affected customers of the data compromise. Their actions reflect transparency in their practices, which should be a priority when the security of customer data is involved. Following this, the CEO issued an apology to customers and assured them of efforts to safeguard their data going forward.
Implications for Customers and Businesses
While acknowledging the steps the company took to contain the incident, it is also important to highlight the potential risks to the customers whose information was leaked in this breach. Customers are now exposed to different security attacks such as phishing, and identity theft. Attackers can target customers by sending them phishing emails pretending to be Park’N Fly or another company in an attempt to defraud them or worse. The level of information leaked also exposed the affected customers to identity theft, which led to several angry and frustrated customers. This emphasizes the importance for businesses to monitor VPN access logs for suspicious activity and ensure customer information is encrypted. Encrypting customer data ensures that in the event of a breach, the unauthorized party has no use for the information. Strong encryption mechanisms will protect customer data from outsiders and even the company itself.
Regulatory Oversight and Future Considerations
It is important to also note that Park’N Fly expressed their commitment to protecting the privacy of their customers by notifying the Office of the Privacy Commissioner of Canada of the breach. Although customers expressed their frustration concerning the incident, this important step is something organizations should comply with to safeguard their reputation and avoid huge fines or penalties due to a lack of compliance with applicable laws and regulations. This incident strengthens and provides a backing for all other organizations to be more vigilant and hold the security and privacy of customer data as a priority. Several organizations do not follow industry standards and frameworks to build an information security program which could lead to a gap in their security practices and an inability to effectively protect their customers and respond proactively to incidents. Building an information security program and having a risk management framework in place will go a long way in foreseeing potential risks and putting preventive and detective controls in place to stop similar incidents from occurring.
References
“Park’n Fly Reveals Data Breach Affecting 1 Million Customer Files | CBC News.” CBCnews, CBC/Radio Canada, 26 Aug. 2024, www.cbc.ca/news/business/park-n-fly-data-breach-canada-1.7305301.
“Park’n Fly Data Breach Included Personal Information of 1m Canadian Customers, Company Says.” Toronto, 26 Aug. 2024, toronto.ctvnews.ca/park-n-fly-data-breach-included-personal-information-of-1m-canadian-customers-company-says-1.7014541.
Silvestre, Irish Mae. “1 Million Customer Files Accessed in Huge Park’n Fly Data Breach: Canada.” 1 Million Customer Files Accessed in Huge Park’N Fly Data Breach | Canada, Daily Hive, 26 Aug. 2024, dailyhive.com/canada/park-n-fly-canada-data-security-breach.
Toulas, Bill. “Park’n Fly Notifies 1 Million Customers of Data Breach.” BleepingComputer, BleepingComputer, 27 Aug. 2024, www.bleepingcomputer.com/news/security/parkn-fly-notifies-1-million-customers-of-data-breach/.
Great post! It’s always scary to see data breaches and especially so close to home with this company operating in Canada and especially in Edmonton. I’m surprised to see that the company is not offering some sort of free credit monitoring or identity theft protection that companies usually offer after a data breach like this one. I’m also curious how the hackers got access to the VPN did they social engineer an employee or was there some sort of exploit in the VPN that gave them access? I’m also surprised that it looks like this data wasn’t encrypted within the company as encrypting data at rest is I hope a common practice for companies.
Thanks for your comment! You definitely raised some valid points. You are right about the free credit monitoring for identity protection, however, I do not believe there was any information provided on that from the news. They did advise customers to watch out for phishing attempts, or suspicious activity aimed at requesting personal information. Regarding the VPN breach as well, it is also unclear as there was no detailed information on how exactly it was carried out, but from the information gathered, it looks to be an exploit rather than social engineering. The lack of encryption was definitely the most concerning part for me as this should be standard practice. Hopefully, they are able to better safeguard customer data moving forward.
Nice Post, i have a concern about the incident because the company processes huge card transactions and losing strong hold of their customers information to attacker makes me doubt if they are PCI DSS (Payment Card Industry Data Security Standard) compliance. i believe any card processing company should knows the importance protecting customers information.
Nice post Faizah! It is interesting how hackers are checking all possible vulnerabilities to “hack” the system. A remote VPN attack could stop the operations in so many places. It is interesting how hackers are always “improving” their attack methods and vectors. That is why it is important to be informed of any update and “day-zero” threat that could happen.
As you well mention, the company did a good step in recognizing the incident and notifying the public about the possible information leak. Constant surveillance is something that companies should adopt as a regular practice. I think the industry should focus more on IDS technologies that are affordable and reliable. Thanks for sharing the incident! Being aware of these events is always important.
Nice work Faizah! Although Park’N Fly moved swiftly to alert consumers and the Privacy Commissioner, the amount of personal data that was stolen is nonetheless concerning. Even if payment information was not released, Aeroplan numbers might still be useful to thieves for phishing and fraud. This hack demonstrates our vulnerability to businesses that fail to implement adequate security measures. This exposes the impacted consumers to phishing scams and identity theft; it serves as a stark warning for organizations to encrypt not just payment information but also other sensitive personal data. Although the five days it took to restore services was excellent, it still goes to show how important business continuity planning is.
Thank you for sharing. I appreciate your writing on this issue. I was a bit shocked as I always assumed that connecting to VPN can add an extra layer of protection to network connections. However, lack of transparency on what caused the issue is a concern for me. I hope they share the incident details on academic forums and knowledge sharing with professionals in the industry. I do believe a rigorous disclosure mechanism is needed whenever a company experiences a cyber-attack. This can help others test for similar vulnerabilities.