Park 'N Fly Confirms Data BreachPayment Card Information Exposed
Park 'N Fly is notifying an undisclosed number of customers that their payment card information was exposed following a compromise of the company's e-commerce website.
The data breach follows a security incident at parking facility provider SP+, formerly Standard Parking Corp., which involved the compromise of a POS system vendor and exposed payment card details (see: Why Attacks Exploit Common POS Systems).
Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards, says one card issuer who asked not to be named. "These cards are favored by fraudsters because of high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders," the issuer says.
Park 'N Fly, an offsite airport parking operator based in Atlanta, says that it has hired data forensics experts to assist with its investigation of the breach, which has been contained.
"While the investigation is ongoing, it has been determined that the security of some data from certain payment cards that were used to make reservations through PNF's e-commerce website is at risk," the company says in a Jan. 13 statement.
Compromised information includes card numbers, cardholder names, billing addresses, card expiration dates and security codes. Other loyalty customer data that may have been exposed includes e-mail addresses, Park 'N Fly passwords and telephone numbers.
Impacted customers are being offered free credit monitoring and identity protection services for one year. Park 'N Fly says it's working with law enforcement and credit card brands to investigate the incident.
"PNF is committed to protecting its customers and their information and will continue a comprehensive response to thoroughly investigate and respond to the incident and improve its data security," the company says.
The company did not immediately respond to a request for comment. News of a possible breach at Park 'N Fly was first reported by security blogger Brian Krebs.