Data Breach at Annapolis Parking Garages Possible: City

Annapolis, MD — Annapolis government officials are warning of a potential data breach of customer information at three local parking garages.

Annapolis Mayor Michael Pantelides issued a statement Tuesday indicating that a breach may have occurred at the Noah Hillman, Gotts Court and Knighton parking garages, affecting customers that used the garage over a period of six months.

According to a preliminary investigation, customers who parked in any of the three garages and paid with either a credit or debit card between Dec. 23, 2015 and June 11, 2016 may be affected, the city says.

On June 11, representatives of the company SP+, which operates the garages, said they noticed "suspicious activity" on the garages' servers.

According to the company, malware may have been installed on Dec. 23, back when the garages were working with a different vendor for their servers.

Mayor Pantelides said the city is working closely with the Maryland Attorney General's Office and SP+ to investigate and attempt to remedy the breach, which could allow criminals to access sensitive customer information.

"If confirmed by forensic analysis, the type of malware discovered has the capability to access credit card and debit card account numbers, names of cardholders, card expiration dates and the CVV number on the back of credit and debit cards," the city said in its statement.

The city said SP+ has switched all of the city’s parking facilities to accepting cash payments only, and has taken the servers out of use. In addition, SP+ has hired a firm to perform a forensic investigation, and has notified applicable credit card companies.

Important to note, is that monthly parking subscribers may be in the clear.

"Because it appears now that only transient parkers may have been affected as a result of this event, individuals who used monthly garage permits for payment at these parking facilities throughout this time period, as well as participants in the residential parking program, likely are not affected," the City added.

City officials said the parking facility servers are not in any way tied into the city’s servers and no interactions with City of Annapolis online payments have been compromised.

"The City of Annapolis does not store any credit card information, and firewalls are in place on all computer equipment," the statement said. "Firewalls are kept current with software updates that detect viruses including malware."

Anyone with questions can call 410-263-7020 Monday through Friday between 8:30 a.m. to 4:30 p.m. EST, send an e-mail to datasecurity@annapolis.gov, or contact the City by regular mail at City of Annapolis, Attn: Data Security Event, 160 Duke of Gloucester St., Annapolis, MD 21401.