Two services that allow users to reserve over the Internet offsite parking spots at airports confirmed week that they recently suffered data breaches and customer data may be at risk.
Park ‘N Fly, headquartered in Atlanta, and OneStopParking, which is based in Florence, Ky, allow travelers to purchase parking spaces online in lots adjacent to airports in the United States and Canada.
In a statement on its site Tuesday, Park ‘N Fly, which has locations at airports in Alaska to Florida, disclosed a compromise involving customers’ payment card data.
Park ‘N Fly is warning customers who made reservations through its e-commerce website that much of their payment card data – card number, name and billing address, card’s expiration date and CVV code – may be in jeopardy. Supplemental information, such as users’ email addresses, passwords and telephone numbers may also be at risk, according to the service.
While Park ‘N Fly claims it has contained the compromise, on its website, next to the statement describing the breach is a curious message stating the service can no longer process reservations online. Citing “system maintenance,” Park ‘N Fly, at least for the time being, is instructing customers to call a toll-free number to reserve spots.
KrebsonSecurity.com said that OneStopParking, a similar parking service that has 80 locations in the U.S., and two in Canada (Montreal and Vancouver) was also breached. Brian Krebs, who spoke to the site’s manager Amer Ghanem, yesterday, reports that the site was hacked after a Joomla vulnerability patched in September was exploited.
Ghanem, who told Krebs he’s in the process of notifying customers and posting a notice to the site, reportedly put off patching the vulnerability because it broke some parts of the site.
Joomla, an open-source content management system, underwent a series of updates in September to address a denial of service vulnerability and a remote file inclusion vulnerability that put hosted data at risk and could have allowed remote files to be executed.
Krebs claims payment card data, CVV codes in particular, have been spotted from customers at both services on Rescator, the same e-shop that was caught peddling cards lifted from breaches at Home Depot, Target, Sally Beauty Supply, and other high profile compromises over the past year or so.
The two services join another parking management services provider, SP+, who announced in November it had been breached, dating back to April at some locations. Hackers made off with customers’ names, card numbers, expiration dates and verification codes after malware made it onto their systems via a payment processor’s remote management tool.