14 DAY TRIAL // As the investigation on the security compromise at off-airport parking operator Park ‘N Fly (PNF) advanced, it was discovered that the customer data had been exposed for little over one year.
In mid-January 2015, PNF announced that payment information from cards used to make reservations on its website might have been accessed by an unauthorized entity.
At that time, neither the date of the breach, nor its duration or its scope were known, and third-party data forensics services were contracted to learn more about the incident.
Security has been enhanced, reservations website back online
Since then, the reservations site has been offline and no transactions could be processed. On Friday, the company announced that the service was up and running again and a PayPal hosted payment solution was implemented to allow customers to reserve their parking spots online.
The results of the investigation showed that the compromise may have put at risk “certain payment cards that were used from November 27, 2013 through December 24, 2014 to make reservations through PNF‘s e-commerce website.”
PNF says that the security flaw has been eliminated from its systems and that security has been upgraded, although no details were offered regarding the changes made.
Sensitive information at risk
The information exposed includes card numbers, cardholder names, billing addresses, card expiration dates and the CVV (card verification value) codes; this data is more than enough to allow a cybercriminal to make online purchases in the name of the victim, since the CVVs are available.
As per the Payment Card Industry Data Security Standard (PCI DSS), CVVs (used in card-not-present transactions) should not be stored on a merchant’s computer infrastructure in order to prevent fraud in case of a breach.
To protect the affected customers from identity theft, the company provides them a one-year subscription to an identity protection service, free of charge.
Furthermore, a toll-free hotline has been set up to assist customers with information about the incident and support in mitigating fraud risk. Clients can call at (855) 683-1165 Monday through Saturday, 8:00 a.m. to 8:00 p.m. C.S.T.