Description
The use of parking apps has grown substantially in recent years. Parking apps also intake a great deal of personal information from drivers that use it. This makes them potential targets. March 5, 2025 was the final data to submit a claim for a share of the $32.8 million settlement involving the data breach of ParkMobile in March of 2025. ParkMobile is one of the largest and most popular parking apps in the U.S and operates in over 500 cities across North America. An estimated 21 million people will be eligible for payment. Information exposed in the attack included email addresses, phone numbers, license plate numbers, hashed passwords and mailing addresses. The attackers gained unauthorized access to ParkMobile’s systems by exploiting a vulnerability in third-party software used by the company. This vulnerability allowed them to breach ParkMobile’s security and access sensitive user data without needing to crack the encryption keys for hashed passwords.
Basis of the Case
A class action lawsuit was initiated in May of 2021 against ParkMobile representing Tyler Baker and fellow victims of the 2021 data breach. The legal complaint asserted that Baker detected suspicious activities in his ParkMobile-linked PayPal account, forcing him to devote significant personal time to address these security concerns, update compromised credentials, and maintain vigilant oversight of his financial accounts. Some of the allegations of the suit include:
- ParkMobile failed to implement adequate security measures, as recommended by the Federal Trade Commission (FTC)
- ParkMobile was negligent in protecting users’ personally identifiable information (PII), which was compromised during the breach
- ParkMobile’s approach to maintaining user privacy as “reckless, or in the very least, negligent,” given the publicly available knowledge of similar data breaches
- The compromised information of over 20 million users was listed for sale on a Russian crime forum
Call to Action
Many cybersecurity breaches such as the ParkMobile incident occur due to vulnerabilities in third-party software components or service providers. Before integrating third-party vendors or software, companies should conduct comprehensive security evaluations that include:
- Requiring vendors to complete detailed security assessments covering data protection, encryption practices, access controls, and compliance with industry standards such as PCI DSS, HIPAA and ISO 27001.
- Conducting penetration tests on vendor-provided software to uncover exploitable vulnerabilities before deployment.
- Conducting annual vendor security audits to validate their security posture against industry standards.
While the absence of a web application firewall (WAF) wasn’t specifically cited in the case, such technology represents a crucial security element for any organization serving customers through online platforms. A WAF functions as a reverse proxy positioned between users and web applications that inspects incoming and outgoing traffic. Each HTTP/S request undergoes thorough examination against established security protocols, with potential attacks identified through signature-based detection methods. Advanced next-generation WAFs enhance this protection by employing AI and machine learning algorithms to conduct behavioral analysis, effectively identifying anomalous traffic behavior that deviates from established usage patterns.
READ MORE HALOCK BREACH BULLETINS
