14 DAY TRIAL // Payment information from cards used to make reservations on the website of off-airport parking operator Park ‘N Fly (PNF) has been exposed to an unauthorized entity, the company announced.
Neither the date of the breach nor when it was acknowledged have been released by the operator, but an investigation into the incident has been initiated, with the assistance of third-party data forensics experts.
However, judging by the fact that at the moment no transactions can be processed through the site due to maintenance activity, it is safe to assume that the incident occurred recently.
Sensitive information has been exposed
The compromise has been contained and there is no information on attempts of fraudulent transactions using the exposed card data.
However, if the details have been copied by cybercriminals carrying out the intrusion, financial institutions are very likely to receive fraud complaints from customers.
In a statement disclosing the breach, PNF said that the data potentially at risk included not only the card number, name of its owner, expiration date and billing address, but also the associated CVV (card verification value), which is represented by the three-digits available on the back of the card.
All this information is more than enough for online shopping sessions, where the CVV is essential for approving the transactions. In the case of some merchants, the verification value is not even needed for smaller purchases.
Other sensitive information that may have been exposed during the breach refers to PNF passwords and phone numbers.
CVVs are essential for online purchases
Storing the CVV, also called CVC (card verification code) on the systems of a merchant, is against the Payment Card Industry Data Security Standard (PCI DSS), specifically to prevent this kind of fraud.
By choosing to keep this information on their infrastructure, merchants basically trade security for comfort, offering a quick and easy, yet risky way for recurring customers to complete the online transaction.
PNF offers affected customers a free, one-year subscription to an identity protection service.
Recently, another business offering similar services, OneStopParking.com, has fallen victim to hackers, but in this case the card information was already up for sale on a cybercrime forum.
OneStopParking.com also stored the CVV codes on the back of the cards, along with owner’s name, expiration date of the card and its number, offering cybercriminals the opportunity to purchase goods online in the name of the victims.