A Vermonter has filed a class-action lawsuit against a popular parking payment app used in Burlington, Montpelier and Winooski after users’ information was compromised during a data breach.
The lawsuit against ParkMobile claims that 21 million users were impacted when the Atlanta-based company failed “to properly secure and safeguard” personally identifiable information.
Tyler Baker filed suit May 25 in federal court in Georgia. Outside of Vermont, ParkMobile currently operates in several large metropolitan areas throughout the country.
Baker is seeking unspecified damages, a “full and accurate” disclosure by ParkMobile of the compromised information, and for the company to bolster its security practices, among other things, according to the suit.
“Despite defendant’s commitment to protecting personal information, ParkMobile failed to prioritize data and cybersecurity by adopting reasonable data and cybersecurity measures to prevent and detect the unauthorized access to plaintiff’s and Class Members’ PII,” the lawsuit states.
An email sent to Baker for comment was not returned. His town of residence was not identified in the lawsuit.
ParkMobile announced it was aware of a “cybersecurity incident” on its website on March 26 involving third-party software used by the company.
An investigation conducted by the company later revealed “only basic user information was accessed,” including email addresses and phone numbers, as well as license plate numbers, according to a ParkMobile press release. Mailing addresses were obtained “in a small percentage of cases.”
The breach did not reveal credit card information or transaction history, according to the statement. ParkMobile does not collect Social Security numbers.
“Although there was a breach, the information that was breached was not financial information, that kind of thing,” said Jeff Padgett, director of parking and traffic for the Burlington city government.
Burlington first partnered with ParkMobile in late 2015, when the city announced a one-year trial program with the University of Vermont “to demonstrate the technology.”
The app allows users to pay by entering a code for the parking spot or zone, and to extend their stay without returning to the meter. Three-quarters of Burlington’s parking meters accepted only coins before the technology’s debut.
The city entered into a five-year contract with ParkMobile in 2018.
Other Vermont municipalities have followed. In February, Montpelier announced a partnership with ParkMobile to service more than 600 of the city’s parking meters. Local leaders touted the contactless process as a way for residents and visitors to limit the spread of Covid-19.
Winooski partnered with the service in 2019.
Darcy Miller, a ParkMobile user who spoke with VTDigger, said she received a pair of emails in late May from cryptocurrency trading websites, alerting her that someone had tried to create an account using her email address.
Alex Fabara, another user, provided a screenshot of his credit report that said his email address had been compromised, and password exposed, through the ParkMobile website.
Although the breach exposed encrypted passwords on ParkMobile accounts, it did not expose the encryption key hackers would need in order to read them, the company said. In an update on April 15, ParkMobile reiterated the option for users to change their passwords.
According to KrebsOnSecurity, a cybercrime watchdog blog run by journalist Brian Krebs, account information for ParkMobile users was detected by Gemini Advisory on a Russian-language crime forum. The information was reportedly listed for sale at $125,000.
All of the roughly 1,200 parking meters in Burlington are outfitted with ParkMobile technology, including the 130 “smart” meters in the city’s downtown core. ParkMobile also services the Lakeview and College Street garages, which Padgett said account for about 1,200 spaces, as well as the 350 spaces in the Marketplace garage.
ParkMobile transactions account for about half of the estimated $5 million in revenue Burlington generates from parking meters and garages, Padgett said. That revenue pays for upkeep for the infrastructure as well as other traffic signage, which is not supported by tax dollars.
Padgett said the city has had ongoing communication with ParkMobile since learning of the data breach, and is satisfied with the company’s response. Burlington is not considering the termination of its contract with ParkMobile at this time, Padgett said.
“I’ve talked to a couple of different [representatives] there, and they have been working with their third party to resolve the situation,” Padgett said.
The current contract is set to expire in January 2023.
Stay on top of all of Vermont’s criminal justice news. Sign up here to get a weekly email with all of VTDigger’s reporting on courts and crime.