Calgary

Calgary Parking investigation reveals more than 145,000 customers exposed during data breach

An investigation conducted by the Calgary Parking Authority, the city-owned agency that reports to council, has revealed that the personal information of 145,895 customers was exposed for more than two months last year.

Names, emails, usernames, vehicle info and addresses could have been accessed

A Calgary Parking Authority sign in downtown Calgary on Sept. 16. (Jeff McIntosh/The Canadian Press)

An investigation conducted by the Calgary Parking Authority, the city-operated agency that manages municipal parking services in the city, has revealed that the personal information of 145,895 customers was exposed for at least two months last year.

It's a revelation that the chair of the cybersecurity program at the Northern Alberta Institute of Technology is calling "shameful" and "negligent."

"Something like this really shouldn't happen in IT departments these days," said John Zabiuk.

Last year, the tech industry news site TechCrunch reviewed logs containing contact information such as driver's full names, dates of birth, phone numbers, email addresses and postal addresses. 

The CPA initially said only 12 customers had their data compromised. But on Monday, it confirmed that figure was well over 100,000.

"I'd like to offer an apology for our customers of the Calgary Parking Authority whose data was exposed through this incident," said Chris Blaschuk, the interim general manager at the CPA. 

"We've done a forensic investigation and determined there were various pieces of information that were potentially at risk."

The Calgary Parking Authority says a forensic investigation revealed the unauthorized disclosure of the personal information of more than 140,000 customers. It could have disclosed names, emails, licence plate information, residential addresses and more. (Dave Gilson/CBC)

The breach involved an unsecured online logging server that could be accessed if individuals knew its public-facing IP address.

The parking authority said the data was exposed between May 13 and July 27, though TechCrunch reported last year that it had viewed logs dating back to at least the start of 2021. CBC News has not viewed those logs.

The parking authority was made aware of the security lapse in late July 2021 and said it secured the information within 20 minutes of becoming aware of the incident.

The CPA couldn't say whether or not any external parties had accessed the data, adding its monitoring has not indicated that it has been used in any sort of way to this point. It has also obtained a "Cyber Secure Canada Certification."

"Part of the investigation determined there was a human error element involved in exposing the server," Blaschuk said. "So we've definitely increased our checks and balances with our internal processes for establishing things such as virtual servers."

Security implications

The NAIT cybersecurity expert said the incident raises a number of concerns for Calgarians, particularly given how accessible the data was.

"You wouldn't necessarily just have to have the IP address specifically told to you, or found somewhere on a deep, dark forum," Zabiuk said.

There are a lot of applications that can be used to scan the internet to look for open ports or IP addresses that are responding, Zabiuk said, to determine which ports are responding back on those IP addresses, which indicate a server or a workstation behind them.

"These scans are happening 24/7, all the time, on the internet. Any kid that takes a course and downloads a particular software package … they can scan the entire internet. And it's happening all the time. So to not be aware of something like that happening, and to leave a server exposed like that, it really comes down to negligence."

A guy with glasses sits at a table with a piece of paper and cell phone on the table
John Zabiuk, chair of the cybersecurity program at NAIT, says breaches such as a recent incident at the Calgary Parking Authority should be rare but are still occurring — and that poses a huge problem. (CBC)

Zabiuk said that poses serious implications, given the information such as dates of birth, driver's licence information and other personal data exposed in the breach.

"People could use that information to register a vehicle under your name … or just looking up your licence plate number to find out where you live," he said. 

"If you did receive a ticket in that time frame, you'd definitely want to keep an eye on things and maybe looking at perhaps getting a new licence number."

ABOUT THE AUTHOR

Joel is a reporter/editor with CBC Calgary. In fall 2021, he spent time with CBC's bureau in Lethbridge. He was previously the editor of the Airdrie City View and Rocky View Weekly newspapers. He hails from Swift Current, Sask. Reach him by email at joel.dryden@cbc.ca

With files from Sarah Rieger