Park ‘N Fly is notifying a million customers of a data breach that potentially exposed their sensitive information.
The Canadian offsite parking operator offers parking services around airports in Edmonton, Halifax, Montreal, Ottawa, Toronto, Vancouver, and Winnipeg, and also offers other auto services such as car washing and oil change.
According to data breach notification letters sent to impacted customers, the unauthorized activity occurred between July 11 and July 13, 2024, and involved compromised VPN credentials.
Park ‘N Fly data breach leaks personal information
The parking operator launched an investigation that determined on August 1, 2024, that the threat actor accessed customer personal information, including the victims’ full names, email addresses, postal addresses, and Canadian Automobile Association (CAA) and Aeroplan numbers.
However, Park ‘N Fly stressed that the data breach did not expose customers’ payment card information or account login credentials.
Nevertheless, it exposes customers to account takeover attacks via exposed Aeroplan numbers and phishing attacks via exposed email addresses, which could eventually lead to exposed credit cards.
Frequent fliers with business-issued credit cards and more reward points are more likely to be impacted since threat actors usually target wealthy individuals with large balances.
Additionally, such victims infrequently track their spending habits compared to personal credit card holders, granting hackers more time to exploit exposed payment card details.
While crucial details regarding the cybersecurity incident were unavailable, including the threat actor’s identity and how the VPN credentials leaked, a Park ‘N Fly spokesperson said the data breach affected “1 million customer files.”
Park ‘N Fly implements stringent security measures after a data breach
Park ‘N Fly said it hired external cybersecurity experts to assess the incident and restored the impacted systems within five days. Local media reports that the parking operator has also notified the Office of the Privacy Commissioner of Canada.
Additionally, it implemented stringent technical and administrative security measures to protect customer information from similar data breaches.
“While Park ‘N Fly has taken steps to improve security post-incident, proactive measures such as regular security audits, stronger authentication for VPN access, and customer education on cybersecurity could help mitigate similar risks in the future,” said Rogier Fischer, CEO of Hadrian.
So far, the company has not observed any additional unauthorized activity but advised victims to remain vigilant for potential phishing attacks by scrutinizing unsolicited emails containing unusual content, such as suspicious links and attachments.
In addition, they should avoid disclosing personal details over the phone, a tactic that threat actors frequently employ to lure victims into disclosing sensitive information, such as credit cards. The company has also provided a phone number that concerned customers can call for direct support.
Park ‘N Fly also said it remained “committed to transparency” and would “prioritize the integrity” of its systems while addressing the cybersecurity incident.
Meanwhile, air travelers frequently face various cyber threats targeting the aviation industry and affecting airlines, airports, and third-party service providers supporting air travel.