Exploit This

Security News, Exploits, and Vulnerabilities.

Park ‘N Fly, OneStopParking Confirm Breaches

Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.

park-n-flyWhen contacted by this author on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected. A portion of their statement reads:

“Park ‘N Fly (“PNF”) has become aware of a security compromise involving payment card data processed through its e-commerce website. PNF has been working continuously to understand the nature and scope of the incident, and has engaged third-party data forensics experts to assist with its investigation. The data compromise has been contained. While the investigation is ongoing, it has been determined that the security of some data from certain payment cards that were used to make reservations through PNF’s e-commerce website is at risk. The data potentially at risk includes the card number, cardholder’s name and billing address, card expiration date, and CVV code. Other loyalty customer data potentially at risk includes email addresses, Park ‘N Fly passwords, and telephone numbers.”

The Park ‘N Fly homepage now includes a conspicuous notice stating that the Web site is temporarily unable to process transactions and directs customers to a 1-800 for reservations.

Reading the Park ‘N Fly disclosure made me wonder if anything had changed over at OneStopParking.com, a Florence, Ky.-based competitor that KrebsOnSecurity reported Dec. 30, 2014 as the likely source of another e-commerce breach. Reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.

onestopparkingGhanem said his firm is in the process of notifying affected customers.

Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.

The stolen CVVs traced back to both Park ‘N Fly and Onestopparking.com were among thousands for sale in large batches of card data being peddled at Rescator[dot]cm, the same crime shop that first moved cards stolen in the retail breaches at Home Depot, Target, Sally Beauty, P.F. Chang’s and Harbor Freight. The card data in both batches ranged in price from $6 to $9 per card, and included the card number, expiration date, 3-digit card verification code, as well as the cardholder’s name, address and phone number.

Cards from the "Solidus" base at Rescator map back to One Stop Parking.

Cards from the “Solidus” base at Rescator map back to One Stop Parking.

Predictably, Park ‘N Fly is offering affected consumers 12 months of free credit monitoring services, even though credit protection services generally do nothing to detect or prevent fraud on existing accounts — such as credit cards. For more on what credit monitoring services actually do (and don’t do) check out this primer.

Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.

Leave a Reply

%d bloggers like this: