The Calgary Parking Authority left one of its data servers unsecured for months, potentially exposing thousands of drivers' personal information.
The parking authority was made aware of the security lapse, which was originally reported by tech industry news site TechCrunch, on Tuesday.
Alex Paredes, the CPA's manager of IT and technical services, said in an emailed statement the CPA immediately conducted an investigation and implemented security measures to restrict unauthorized access to the logging server's data.
"We at the CPA take cyber security very seriously. Protecting access to our systems and the privacy of our customers is a top priority. We have notified customers who may have been impacted. This issue has been corrected and the data has been secured. We have conducted a thorough investigation and have implemented additional measures to prevent future recurrence," the statement read.
The CPA initially said its investigation determined that the issue dated back to a server being misconfigured on May 13, and that only 12 customers saw their data compromised.
Paredes said the customers first and last names, email addresses and encrypted passwords would have been accessible if someone had the server's public-facing IP address and was able to search for the content.
Parking offences, addresses likely included on server
However, Anurag Sen — a security researcher who found the exposed server and had asked for TechCrunch's assistance in reporting the lapse to the CPA — wrote on Twitter that he saw more than 100,000 users' information and that the size of the unsecured server was larger than 500 GB.
For context, a high-definition movie takes up about 5 GB of storage, and text files take up significantly less space.
TechCrunch reporter Zack Whittaker wrote that the site's review of the logs found additional information for thousands of drivers, including details of parking offences and postal addresses, and partial payment data. None of the data was encrypted, he reported.
"We reviewed a sample of data, removed duplicates and found thousands of records among a small amount of exposed logs. As part of any data breach or security lapse we investigate (as we would with any story), we keep receipts/evidence to support our findings," Whittaker told CBC.
And Bob Diachenko, another cyber security researcher, tweeted that he had spotted the user data and reported it to the CPA in May, sharing a screenshot of his email to the authority, but said he had not received a response.
Diachenko also told CBC that he doesn't believe just 12 accounts were exposed, saying that, based on the metadata, hundreds of gigabytes of data were exposed and that a search indicated there were potentially thousands of passwords on the server.
CBC News has not seen or had an opportunity to verify those logs.
Privacy commissioner notified
In a followup response to inquiries from CBC News, the CPA said TechCrunch and Sen had brought it to their attention that more than 12 people were affected.
"For the cybersecurity team to ascertain the full impact of this security incident, a full forensic investigation will be conducted to determine if there were additional points of entry not found by the CPA and to assess the impact of the security incident," Paredes said in an emailed statement. "This investigation will determine the scope of users affected and any further mitigations required."
The CPA said it has notified the Office of the Information and Privacy Commissioner of Alberta of the security incident.
The CPA also said it appreciated Diachenko's attempt to alert it to the lapse, but the CPA said its IT teams somehow did not receive his email. The CPA said it is following up internally to determine what happened.
The CPA manages approximately 14 per cent of all paid parking stalls in Calgary on behalf of the city — nearly 6,700 on-street spaces and nearly 10,700 stalls in surface lots and parkades. The authority reports to city council through its board of directors.