Park 'N Fly and OneStopParking suffer card breaches

Park 'N Fly and OneStopParking are the latest companies to reveal data breaches, potentially exposing the card details of customers who used either service, reports Krebs on Security.

The two companies both provide airport parking reservations via internet reservation systems, and were suspected of leaking data by Krebs as early as last month, but now each has confirmed the breaches independently.

"Park ‘N Fly (“PNF”) has become aware of a security compromise involving payment card data processed through its e-commerce website," reads a statement on the Park 'N Fly website. "PNF has been working continuously to understand the nature and scope of the incident, and has engaged third-party data forensics experts to assist with its investigation. The data compromise has been contained."

"The data potentially at risk includes the card number, cardholder’s name and billing address, card expiration date, and CVV code," the statement explains, though it omits details of the likely duration of the breach and an estimated number of affected customers. "Other loyalty customer data potentially at risk includes email addresses, Park ‘N Fly passwords, and telephone numbers," it adds.

SC Magazine notes that the company will be offering free identity monitoring, and identity protection services to those impacted.

OneStopParking, on the other hand, was hit by a known vulnerability in Joomla. While patches for the issue were available in September 2014, OneStopParking had delayed implementation "because it broke portions of the site." Site manager Amer Ghanem told Krebs that the company was in the process of notifying affected customers.

Unlike last year's spate of Point-of-Sale malware which leaked details of transactions made in store, these are both a purely online breach - which means that the cards cannot be cloned for use in high street stores, but they can be used for online purchases.

Krebs reports that details stolen from both sites are already available from cybercriminals: "The stolen CVVs traced back to both Park ‘N Fly and Onestopparking.com were among thousands for sale in large batches of card data being peddled," he writes.