An investigation conducted by the Calgary Parking Authority, the city-operated agency that manages municipal parking services in the city, has revealed that the personal information of 145,895 customers was exposed for at least two months last year.
It's a revelation that the chair of the cybersecurity program at the Northern Alberta Institute of Technology is calling "shameful" and "negligent."
"Something like this really shouldn't happen in IT departments these days," said John Zabiuk.
Last year, the tech industry news site TechCrunch reviewed logs containing contact information such as driver's full names, dates of birth, phone numbers, email addresses and postal addresses.
The CPA initially said only 12 customers had their data compromised. But on Monday, it confirmed that figure was well over 100,000.
"I'd like to offer an apology for our customers of the Calgary Parking Authority whose data was exposed through this incident," said Chris Blaschuk, the interim general manager at the CPA.
"We've done a forensic investigation and determined there were various pieces of information that were potentially at risk."
The breach involved an unsecured online logging server that could be accessed if individuals knew its public-facing IP address.
The parking authority said the data was exposed between May 13 and July 27, though TechCrunch reported last year that it had viewed logs dating back to at least the start of 2021. CBC News has not viewed those logs.
The parking authority was made aware of the security lapse in late July 2021 and said it secured the information within 20 minutes of becoming aware of the incident.
The CPA couldn't say whether or not any external parties had accessed the data, adding its monitoring has not indicated that it has been used in any sort of way to this point. It has also obtained a "Cyber Secure Canada Certification."
"Part of the investigation determined there was a human error element involved in exposing the server," Blaschuk said. "So we've definitely increased our checks and balances with our internal processes for establishing things such as virtual servers."
The NAIT cybersecurity expert said the incident raises a number of concerns for Calgarians, particularly given how accessible the data was.
"You wouldn't necessarily just have to have the IP address specifically told to you, or found somewhere on a deep, dark forum," Zabiuk said.
There are a lot of applications that can be used to scan the internet to look for open ports or IP addresses that are responding, Zabiuk said, to determine which ports are responding back on those IP addresses, which indicate a server or a workstation behind them.
"These scans are happening 24/7, all the time, on the internet. Any kid that takes a course and downloads a particular software package … they can scan the entire internet. And it's happening all the time. So to not be aware of something like that happening, and to leave a server exposed like that, it really comes down to negligence."
Zabiuk said that poses serious implications, given the information such as dates of birth, driver's licence information and other personal data exposed in the breach.
"People could use that information to register a vehicle under your name … or just looking up your licence plate number to find out where you live," he said.
"If you did receive a ticket in that time frame, you'd definitely want to keep an eye on things and maybe looking at perhaps getting a new licence number."