On December 16, 2014, investigative reporter Brian Krebs stated that two separate banks had uncovered a pattern of credit card fraud indicating that Park 'N Fly had been breached -- and two weeks later, Krebs reported that sources at several banks had told him the common point of purchase for a new batch of card data found for sale online was OneStopParking.com.
It wasn't until January 13, 2015, though, that Park 'N Fly posted a notice on its website acknowledging that customer payment card data, including names, billing addresses, card numbers, expiration dates and CVV codes, had been accessed by hackers.
For members of Park 'N Fly's Frequent Parker Program, the company says email addresses, passwords and telephone numbers may also have been accessed.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Park 'N Fly says the breach has now been contained, and all those affected are being offered one free year of identity protection services from AllClear ID. Customers with questions are advised to contact (855) 683-1165.
"PNF is committed to protecting its customers and their information, and will continue a comprehensive response to thoroughly investigate and respond to the incident and improve its data security," Park 'N Fly stated. "The company is also is working with law enforcement and credit card brands."
While there's currently no notice posted at OneStopParking.com, site manager Amer Ghanem recently told Krebs that the company has confirmed that hackers breached its systems via a Joomla vulnerability for which patches had been made available in September 2014. OneStopParking hadn't applied those patches, Ghanem said, because they broke portions of its website.
Ghanem said OneStopParking is currently in the process of notifying all those affected by the breach.
Krebs noted that both Park 'N Fly's and OneStopParking's notifications are consistent with the new data breach notification standard that President Obama proposed earlier this week, which would require all U.S. companies to notify consumers of a breach within 30 days of its discovery.
Trey Ford, global security strategist at Rapid7, told eSecuirty Planet by email that travelers are becoming an increasingly common target for hackers. "As we saw with United and American Airlines, attackers are attracted by the personal information associated with loyalty programs, particularly details for high-limit personal and corporate credit cards with obvious market value," he said.
Consumers often cut corners on these types of sites, Ford said, due to their urgency to complete tasks, travel-related stressors, and sleep deprivation. "Given these considerations, consumers have a tendency to favor time-saving behaviors like password re-use, while stress, distraction and exhaustion raise our susceptibility to phishing campaigns," he said. "Travelers should take a few minutes to replace re-used passwords and double check travel loyalty balances."