According to a report by TechCrunch, a logging server used to monitor the Calgary Parking Authority’s parking system for bugs and errors was left online without a password, exposing driver’s full names, dates of birth, phone numbers, email, and postal addresses, as well as details of parking tickets.
The report notes that since the server’s data was entangled with logs and other computer-readable data, it’s not known exactly how many people had their information exposed by the security lapse.
Security researcher Anurag Sen found the exposed server and reported it to its owner. The server was secured on Tuesday, a day after the authority was contacted. The authority stated that the exposure was due to human error and that it was investigating its logs to determine if anyone else had access to the server.
“We at the CPA take this very seriously,” Moe Houssaini, the acting general manager for the Calgary Parking Authority, told TechCrunch in a statement. “Any public access has been disabled and we are actively investigating to determine what exact data was impacted and what unauthorized access may have occurred. We apologize to our customers and will be reaching out to all individuals who may have been impacted.”
The Calgary Parking Authority oversees around 14% of the paid parking spots in the Calgary region, and lets drivers pay to park their cars by a parking kiosk, online, or through the phone app by entering their vehicle’s license plate number and payment details.