Published: 6/14/2021 10:14:02 AM
Modified: 6/14/2021 10:14:05 AM
A Vermonter has filed a class-action lawsuit against a popular parking payment app used in Burlington, Montpelier and Winooski after users’ information was compromised during a data breach.
The Upper Valley communities of Woodstock and Hanover use the app as well.
The lawsuit against ParkMobile claims that 21 million users were impacted when the Atlanta-based company failed “to properly secure and safeguard” personally identifiable information.
Tyler Baker filed suit May 25 in federal court in Georgia. Outside of Vermont, ParkMobile currently operates in several large metropolitan areas throughout the country.
Baker is seeking unspecified damages, a “full and accurate” disclosure by ParkMobile of the compromised information, and for the company to bolster its security practices, among other things, according to the suit.
“Despite defendant’s commitment to protecting personal information, ParkMobile failed to prioritize data and cybersecurity by adopting reasonable data and cybersecurity measures to prevent and detect the unauthorized access to plaintiff’s and Class Members’ PII,” the lawsuit said.
An email sent to Baker for comment was not returned. His town of residence was not identified in the lawsuit.
ParkMobile announced it was aware of a “cybersecurity incident” on its website on March 26 involving third-party software used by the company.
An investigation conducted by the company later revealed “only basic user information was accessed,” including email addresses and phone numbers, as well as license plate numbers, according to a ParkMobile press release. Mailing addresses were obtained “in a small percentage of cases.”
The breach did not reveal credit card information or transaction history, according to the statement. ParkMobile does not collect Social Security numbers.
“Although there was a breach, the information that was breached was not financial information, that kind of thing,” said Jeff Padgett, director of parking and traffic for the Burlington city government.
Burlington first partnered with ParkMobile in late 2015, when the city announced a one-year trial program with the University of Vermont “to demonstrate the technology.”
The app allows users to pay by entering a code for the parking spot or zone, and to extend their stay without returning to the meter. Three-quarters of Burlington’s parking meters accepted only coins before the technology’s debut.
The city entered into a five-year contract with ParkMobile in 2018.
Other Vermont municipalities have followed. In February, Montpelier announced a partnership with ParkMobile to service more than 600 of the city’s parking meters. Local leaders touted the contactless process as a way for residents and visitors to limit the spread of COVID-19.
Winooski partnered with the service in 2019.
Although the breach exposed encrypted passwords on ParkMobile accounts, it did not expose the encryption key hackers would need in order to read them, the company said. In an update on April 15, ParkMobile reiterated the option for users to change their passwords.
According to KrebsOnSecurity, a cybercrime watchdog blog run by journalist Brian Krebs, account information for ParkMobile users was detected by Gemini Advisory on a Russian-language crime forum. The information was reportedly listed for sale at $125,000.