EasyPark victim of a cyberattack, data extradicted (Dec. 2023)

[German]The Swedish EasyPark (or the EasyPark Group) has confirmed, that they was the victim of a cyber attack on December 10, 2023. Nice, EasyPark play its down and wrote, "there was a breach of non-sensitive customer data".  "Thankfully", only data such as email address, telephone number, address or parts of card details were stolen. What could have happened if "non-sensitive data" had been stolen. Here is an overview of the facts.

German blog reader Patrik informed me by email that there was an attack at EasyPark in which data was stolen. I confess to a certain satisfaction about this incident – "learning through pain" is the motto – only when the digitization fetishists have really hit the wall will there perhaps be a rethink.

What is Easy Park?

The background: EasyPark is a private provider that is committed to managing parking spaces and paying parking fees in Germany under the motto "Your reliable companion on the road". To this end, the provider works together with cities and parking lot operators so that cars can be parked "safely and easily" (according to its own statement). EasyPark is part of the EasyPark Group, headquartered in Stockholm, Sweden.

An EasyPark app is required, registration with EasyPark is required and payment processes are also carried out via this app. Users can use the app to search for parking spaces, and EasyPark stickers can now be found on many parking machines in cities. In the worst-case scenario, parking is only available to those who install the EasyPark app on a smartphone, register with the provider with payment information and then book the parking space in the app.

The provider promises: "As soon as you start a parking process with EasyPark, we send a message to the city's control system. This allows the authorities to see that the parking fee for your parking space has been paid via the app." on the German site shown above.

I had my first encounter with EasyPark in the summer of 2023 when I was looking for parking space online for an event. On the internet, I came across the tiny piece of information that the EasyPark app would be required to book parking at the event – with location data via smartphone and GPS as well as license plates and payment via app. Only senior citizens without a smartphone would have a limited opportunity to buy a parking ticket at the ticket offices on site with a 5 euro surcharge …

That was the point where the whole thing really annoyed me. I would have had to install an app and register it – no way. A quick web search revealed something frightening – some local authorities are firmly committed to EasyPark (under the aspect of "progress is here …"), which took over Park Now some time ago (see). Of course, I immediately came across a German article from fall 2022, which dealt with weak points. Suddenly everyone could see who was parking where (wife's comment "who cares where I park?").

I then did a quick search to find out what the users thought. According to the manufacturer's website, hundreds of thousands of EasyPark customers are delighted. I then made the mistake of reading the 1-star ratings on Trustpilot. Fund splitter: Someone enters your license plate number and parks at your expense. The app does not allow a day ticket, so you get a parking ticket because the start and end times cannot be booked beyond a certain interval.

Any error there is probably at the customer's expense. There is no provision for booking tickets via a web portal – you need an app. Local politicians force people to use an app from a third-party provider, and the press celebrates it as progress. And what annoyed me even more: there are probably several providers and, depending on the location, you have to have different parking apps on your smartphone.

Cyber attack on EasyPark

In the above screenshot of the EasyPark page, you can already see a banner stating that there has been a cyber attack on the provider. The astonished citizen learns , on December 10, 2023, the provider discovered that it had been the victim of a cyberattack.

Only "non-sensitive"data are affected

The customers were also extremely lucky because the provider acted quickly to stop the cyber attack immediately, which is great, isn't it? And the provider has ensured that its services continue to run as usual, money and parking management come first.

But it gets even better, because according to EasyPark's announcement, the attack "only" resulted in a breach of non-sensitive customer data. Only "some" customer data was affected, for which the following information is relevant:

• If you were affected, some contact information you may have provided to us (such as name, phone number, physical address, and/or email address) were accessed.
• When you pay for parking with a credit card/debit card or IBAN, some digits of the card you chose are displayed. These partial details were accessed. However, someone cannot make payments using this incomplete information.

The provider reveals unintentional humor with the statement: "No combination of this stolen data can be used to make payments" and advises people to "be wary of phishing". Now people can wait for phishing messages that may demand "parking fees due to the cyber attack and the disrupted billing" – the attackers have the data. And what I miss in the above statement is a clear statement as to whether the license plate number is present in the accessed data records or not.

The statement that no data was stolen that is considered "sensitive" is taken by the "specialists" from this EU classification of the legal basis for data processing within the meaning of the GDPR, which explicitly deals with which data (sexual orientation, race/ethnicity, genetic and health data, etc.) falls under this legal basis. The legal basis describes the conditions under which companies may process this data at all.

Sorry, and we are getting now serious

Of course the provider is sorry – I believe they are, and the incident has also been reported to the relevant authorities. As EasyPark Group takes the protection of customer data very seriously and always strives to provide the best possible experience with its services, it has now "added a briquette" and is taking things seriously. The EasyPark security team, which includes external security experts, is working hard to implement effective security and data protection measures. In other words, the wording implies that no, or no effective, security and data protection measures were previously in place.

Here is the complete content of the information page, but without the FAQ at the end of the article:

EasyPark Data Breach

On December 10, 2023, we discovered we were the victim of a cyber attack. The attack resulted in a breach of non-sensitive customer data.

We deeply care about our customers and want to make sure you are fully informed about this incident. Here is what we have done.

1. We took actions to protect you.

• We took swift measures to stop the cyber attack.
• We made sure our services continued to operate as usual.
• We notified the appropriate authorities.
• Our security team, including external security experts, is working hard to ensure effective security and privacy measures are in place.

2. We are making you aware.

• Some of you were affected by the data breach. We are reaching out to all affected customers.
• If you were affected, some contact information you may have provided to us (such as name, phone number, physical address, and/or email address) were accessed.
• When you pay for parking with a credit card/debit card or IBAN, some digits of the card you chose are displayed. These partial details were accessed. However, someone cannot make payments using this incomplete information.
• No combination of this stolen data can be used to perform payments.
• As always, you should be mindful of phishing attempts, which are unfortunately common.

3. We are sorry.

At EasyPark Group, we take protecting your privacy seriously and strive to deliver the best possible experience for you. Experiencing a data breach naturally creates concerns for all of us.

We are deeply sorry this happened and will continue to work hard every day to earn your trust.

The have published also a FAQ that contains further details on several questions.

My 2 cents

EasyPark's announcement about the cyber incident is the most advance kind of bullshit talk and a red herring. Together with naive or compliant local politicians, the provider has succeeded in making it compulsory to pay parking fees via app and registration at some events or locations.

If you don't want this, you may not be able to park where you used to because you won't be able to buy a parking ticket from a machine. And if they have the wrong app, the internet is down or there is some other fault, they won't be able to park either. What does the provider do? After the cyber-attack has taken place, the provider is just rambling on with platitudes and pulling the wool over the eyes of naive users.

And that brings us to "learning through pain". We are only at the beginning of a wave of digitalization which, according to its protagonists, is set to gather momentum. But providers are failing to implement or comply with the most basic security measures and standards. If something happens, the case is played down in fine words: "Unfortunately it happened, there's nothing we can do. It was advanced cyber criminals with a lot of energy – it happens to others too. But the data security of our customers is important to us and we take it very seriously. "

That's why I hope that the issue will be "driven against the wall in a timely manner" – it must hurt badly now – so that the damage is kept to a minimum. Perhaps there will be a technical and organizational rethink so that digitalization becomes more sensible, more sustainable and, above all, more secure.