In 2021, ParkMobile a mobile and web parking payments platform suffered a major data breach affecting 22 million users. Threat actors stole and leaked a 4.5 GB database on a hacking forum, exposing customers' full names, mobile numbers, email addresses, bcrypt-hashed passwords, mailing addresses, license plate numbers, and vehicle details. The breach led to a class-action lawsuit, settled in 2024 for $32.8 million, though victims received only $1 in-app credit (redeemable as four $0.25 discounts) with an expiration date. The company denied wrongdoing but faced allegations of negligent data security practices. Post-settlement, ParkMobile warned users of ongoing SMS phishing (smishing) attacks impersonating the company to steal sensitive information. The breach severely damaged customer trust, with leaked data enabling fraud risks and identity theft, though no direct financial losses were confirmed beyond reputational harm and minor compensation.
TPRM report: https://www.rankiteo.com/company/parkmobile-usa-inc-
"id": "par5532055100525",
"linkid": "parkmobile-usa-inc-",
"type": "Breach",
"date": "6/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '22 million',
'industry': 'Parking Payments / Mobility Services',
'location': 'Atlanta, Georgia, USA',
'name': 'ParkMobile',
'type': 'Private Company'}],
'customer_advisories': 'Instructions for claiming $1 in-app credit; guidance '
'on identifying and avoiding phishing attempts.',
'data_breach': {'data_encryption': 'Partial (passwords were bcrypt-hashed, '
'but other data was in plaintext)',
'data_exfiltration': 'Yes (4.5 GB database leaked on hacking '
'forum as CSV file)',
'file_types_exposed': ['CSV'],
'number_of_records_exposed': '22 million',
'personally_identifiable_information': 'Yes (names, email '
'addresses, phone '
'numbers, mailing '
'addresses, license '
'plate numbers)',
'sensitivity_of_data': 'High (includes names, contact '
'details, license plates, hashed '
'passwords)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Vehicle Information']},
'date_publicly_disclosed': '2021',
'description': 'ParkMobile, a mobile and web parking payments platform, '
'experienced a data breach in 2021 that exposed the personal '
'information of nearly 22 million users. The breach resulted '
'in a class action lawsuit, which was settled in December 2024 '
'with a $32.8 million compensation fund. Affected users '
'received a $1 in-app credit (redeemable as four $0.25 '
'discounts) as part of the settlement. The breach involved the '
'theft of a 4.5 GB database containing user details, which was '
'later leaked on a hacking forum. ParkMobile denied wrongdoing '
'but agreed to the settlement to resolve disputed claims. '
'Following the settlement, the company warned users about '
'ongoing SMS phishing (smishing) attacks targeting its '
'customer base.',
'impact': {'brand_reputation_impact': 'Negative (public backlash over minimal '
'compensation and ongoing phishing '
'risks)',
'customer_complaints': 'Class action lawsuit filed by affected '
'users',
'data_compromised': ['First and last names',
'Initials',
'Mobile numbers',
'Email addresses',
'Usernames',
'Bcrypt-hashed passwords',
'Mailing addresses',
'License plate numbers',
'Vehicle information'],
'financial_loss': '$32.8 million (settlement amount)',
'identity_theft_risk': 'High (personal and vehicle information '
'exposed)',
'legal_liabilities': 'Class action lawsuit settled for $32.8 '
'million',
'payment_information_risk': 'Low (no direct payment info mentioned '
'as compromised)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (full database leaked '
'on hacking forum)'},
'investigation_status': 'Settled (class action lawsuit concluded in December '
'2024)',
'recommendations': ['Users advised to manually claim $1 in-app credit via '
'promo code before expiration (October 8, 2026 for most '
'users).',
'Warnings issued about ongoing SMS phishing (smishing) '
'attacks; users urged to verify sender authenticity and '
'avoid clicking suspicious links.',
'ParkMobile emphasizes it will never request sensitive '
'information (passwords, security codes, banking details) '
'via email/SMS.',
'Users encouraged to check exposure status via '
'HaveIBeenPwned.'],
'references': [{'source': 'BleepingComputer'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit (settled for '
'$32.8 million)'},
'response': {'communication_strategy': 'Emails sent to class action '
'plaintiffs with redemption '
'instructions for in-app credit; '
'warnings issued about ongoing '
'phishing attacks',
'recovery_measures': 'Class action settlement ($32.8 million '
'fund, $1 in-app credit per user)'},
'stakeholder_advisories': 'Emails sent to class action plaintiffs with '
'settlement details and redemption instructions; '
'public warnings about phishing scams.',
'title': 'ParkMobile 2021 Data Breach and Class Action Lawsuit Settlement',
'type': ['Data Breach', 'Class Action Lawsuit']}