Krebs reports that both banks discovered a pattern of fraud on “a significant number” of credit cards that had recently been used to make online reservations at Park ‘N Fly locations nationwide.
Those cards are being sold for $6 to $9 each at Rescator[dot]cm, the crime store that was previously used to sell cards stolen from Home Depot and Target. The data being sold includes the cardholder’s name, address and phone number as well as the card number, expiration date and verification code.
Still, Park ‘N Fly senior director of information technology Michael Robinson told Krebs that while the company has hired “multiple” security firms to investigate the claims, none of the firms has yet confirmed that a breach took place.
“We have been unable to find any specific issues related to the cards or transactions reported to us and by the financial institutions,” Robinson said. “While this kind of incident is rare for us based on our thousands of daily transactions, we do take every instance very seriously. Like any reputable company involved in e-commerce today we recognize that we must be constantly vigilant and research every claim to root out any vulnerabilities or potential gaps.”
“While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated,” Robinson added. “We have made all necessary precautionary upgrades and we just upgraded on 12/9 to the latest EV SSL certificate from Entrust, one of the leading certificate issuers in the industry.”
In a similar but more limited breach disclosed last week, Missouri’s St. Louis Parking Company announced that hackers may have compromised the credit card data of customers who used its Union Station Parking Facility between October 6, 2014 and October 31, 2014.
“As soon as the breach was discovered, the affected server was isolated and security measures were put in place to eliminate any further compromise of data,” the company said in a statement, adding that it has hired third party forensic experts to assist with its investigation into the breach.
And in late November, parking facility service provider SP+ announced that a hacker had leveraged its payment card systems provider’s remote access tool to connect to computers that process payment cards for 17 of its parking facilities in Chicago, Cleveland, Evanston, Philadelphia and Seattle.
“The unauthorized person used the remote access tool to install malware that searched for payment card data that was being routed through the computers that accept payments made at the parking facilities,” SP+ explained in a statement, noting that cardholder names, card numbers, expiration dates and verification codes may have been accessed.
“The malware has been disabled on all affected servers, and we have required that the vendor convert to the use of two-factor authentication for remote access,” SP+ added. “We are working with the computer security firm to implement additional enhanced security measures.”