More than 5,000 people have been affected by the data breach at Cork City’s Park by Phone service, it emerged last night.
Cybersecurity experts are assisting with an investigation into the breach and steps have been taken to secure the service, which is provided to the city council under contract by ParkMagic.
While the reported breach occurred last Thursday and was notified to the relevant authorities and to the public on Friday, it has emerged that the first instance of the breach occurred in May.
The details emerged in a report to city councillors and in a statement from the Data Protection Commission (DPC).
The DPC said it was notified by the city council of the personal data breach last Friday.
While no personal bank account or credit or debit card details were accessed, no account balances altered, and no passwords compromised, personal data including car registration numbers, email addresses, and mobile phone numbers may have been compromised.
There has been no impact on the operation of the service.
The DPC said the data breach was a result of an APP credential being compromised.
In a statement, it said: “The council reports that this compromised login allowed a third party to effectively masquerade as an APP on the desktop and automate access attempts and that the first instance of this breach occurred on May 22, 2018.
The DPC said the council has informed gardaí about the breach, describing it as the “unauthorised access and retention of the personal data and the fraudulent use of parking credit”.
“The council is currently taking steps to mitigate the consequences of the breach incident on the affected persons, all of whom are to be notified of the breach by the council,” it said.
In a report to councillors at last night’s city council meeting, council chief executive Ann Doherty said investigations to date suggest that the data of approximately 5,000 customers may have been accessed.
She said that once the data breach was identified, ParkMagic immediately addressed the breach and the council arranged for cybersecurity experts from KPMG to be on site at ParkMagic’s headquarters in Limerick on Saturday.
“Further detailed investigation is ongoing by Park Magic and KPMG on behalf of Cork City Council,” said Ms Doherty.
Once we are in a position to release further details we will do so — initially to the individual customers affected. However, it is expected that the detailed investigations will take some time.
The council’s head of IT, Ruth Buckley, said councils are almost under constant cyber attack.
She said on the basis of expert advice, she has been told not to disclose the exact nature of the attack to limit vulnerability to future attacks.
The Cork City Park by Phone service was introduced in May 2015. It has some 31,000 subscribers.