After the number of major breaches affecting some of the largest retailers this year, some may feel uneasy as they approach the cashier to pay for their purchases. Now consumers have another place to worry about–parking garages.
SP+, a company that provides parking, maintenance and security services to property owners, said on Friday that an unauthorized attacker gained access to its payment processing systems and was able to access customer names and payment card information.
The company said that on November 3, 2014 it received a security notice from a third party vendor that provides payment card systems for some of its parking facilities. The noticed warned that an unauthorized person had used a remote access tool to connect to the payment processing systems at some of those facilities and that customer data was at risk.
The company said that after learning the incident, an investigation was launched with the help of a “leading computer forensic firm” in order to determine the extent of the breach.
The company, which changed its name from Standard Parking Corporation to SP Plus Corporation in 2013, did not disclose how many card numbers may have been compromised, but said the attack affected 17 of its parking facilities.
Through its Standard Parking and Central Parking brands, the company operates roughly 4,200 parking facilities in hundreds of cities across North America, and has approximately 23,000 employees.
“The unauthorized person used the remote access tool to install malware that searched for payment card data that was being routed through the computers that accept payments made at the parking facilities,” SP+ noted in a breach disclosure. “While SP+ was conducting this investigation, it identified one additional facility where card data was at risk. The information from payment cards that may have been captured by the malware is the cardholder’s name, card number, expiration date, and verification code.”
Parking facilities in Chicago, Cleveland, Philadelphia, Seattle, and Evanston were affected by the breach, though a majority of the locations affected were located in Chicago.
“Though SP+ does not have sufficient information to identify whether any specific cards were taken or to mail notification letters to the potentially affected cardholders, SP+ wanted to let its customers know about this incident as soon as it could,” the company said.
SP+ also said that it has notified its payment processor to provide them with the account numbers for cards used during the period at risk so that issuing banks for the cards could be alerted.
The company said that the malware has been removed on all affected servers, and that it has implemented additional security measures including forcing the vendor use of two-factor authentication for remote access.
SP+ did not say what type of malware was found on the systems.
Earlier this week, a new strain of point-of-sale malware targeting e-kiosks and ticket vending machines was uncovered by intelligence firm IntelCrawler. Dubbed ‘d4re|dev1|’, the malware is hitting mass transit systems, and acts a backdoor that gives attackers remote administration capabilities. It also has RAM scrapping and keylogging features, IntelCrawler said.
IntelCrawler CEO Andrew Komarov told SecurityWeek that the “Dare Devil” malware has compromised at least 80 merchants. Komarov said that the attackers are installing the malware using unsecure remote administration channels, including tools like TeamViewer and pcAnywhere. In some cases, the attackers are looking for specific retail management systems in order to compromise them using application vulnerabilities.
Earlier this year, IntelCrawler discovered Nemanja, a botnet comprised of roughly 1,500 terminals and other systems, and POSCLOUD, which targets cloud-based PoS software used by many grocery stores, retailers, and other small businesses.