Nearly 150,000 Calgary Parking Authority customers had some of the personal information breached in 2021, the CPA has revealed.
Monday morning, the city-owned subsidiary apologized for the data breach.
“Protecting access to our systems, and the safety and security of your personal information is a top priority for us,” interim general manager Chris Blaschuk said in a statement. “This was an unfortunate, isolated incident; however, we have worked closely with our partners to strengthen our cybersecurity protections and mitigate incidents of a similar nature from occurring in the future.”
In the window the data was accessed, an investigation that included a third-party cybersecurity expert found 145,895 customer files could have been accessed, with data such as:
- combined information elements of licence plates, validation tag numbers, vehicle information, residential address, and violation ticket information
- and CPA ParkingID numbers.
It’s the same incident originally reported to the public in July 2021, where it was originally thought that only 12 customers had their names, email addresses and encrypted passwords accessed when a misconfigured server was publicly accessible for about two and a half months.
The CPA said when its team became aware of the breach, it closed it the breach, restricting further access to the data.
The parking authority said since implementing cybersecurity measures, there has been no evidence of further breaches.
“We believe there is a low risk that the elements of personal information may be further exposed. We continue to monitor the situation closely,” Blaschuk said.
“We sincerely appreciate your understanding and regret any distress this incident may have caused.”
The parking authority has also obtained a CyberSecure Canada Certification – which includes controls for small and medium organizations to protect their data, networks and customers – and advises all Calgarians to protect themselves from cyber threats by:
- changing passwords regularly, not using easy-to-guess passwords and not using the same password for multiple accounts
- monitoring accounts and reporting suspicious activity to police and the Canadian Anti-Fraud Centre
- being vigilant against phishing – the gathering of information by third parties by deception and fake websites
The CPA also noted a report of the breach has been filed with the Office of the Information and Privacy Commissioner of Alberta.