Europe’s largest parking app operator has reported itself to information regulators in the EU and UK after hackers stole customer data.
EasyPark Group, the owner of brands including RingGo and ParkMobile, said customer names, phone numbers, addresses, email addresses and parts of credit card numbers had been taken but said parking data had not been compromised in the cyber-attack.
The company did not say how many of its users had been affected, beyond detailing that 950 RingGo users in the UK were involved. A spokesperson said “the majority of users affected are users in Europe on the EasyPark brand”, which suggested that the data of thousands of customers had been compromised.
The hack highlights the increasing centralisation of parking services across the world, as apps, websites and automated phone lines replace physical meters and parking attendants. Operating machines is much more expensive but they do not require personal data to make payments and can be used by people who rely on cash, such as many older drivers.
The central collection of location data is particularly sensitive because it could be used to physically track people.
EasyPark has said it is Europe’s biggest parking app in terms of coverage. The company and rivals such as the Volkswagen-owned PayByPhone and JustPark in Europe and ParkWhiz and SpotHero in the US are racing to cover as much of the world as possible, often incurring steep losses while snapping up competitors.
EasyPark is owned by the private equity investors Vitruvian Partners and Verdane, which bought it from BMW and Daimler in 2021. Its EasyPark, ParkMobile, RingGo and Park-line apps operate in more than 4,000 cities across 23 countries, including the US, Australia, New Zealand and most western European states such as Germany, France, Spain, Italy and the UK.
The company said its ParkMobile brand, which has 50 million users in the US, had not been affected. Users of RingGo had been affected because some of its services were integrated with the EasyPark technology, but the RingGo platform was not breached, it said.
The company was not yet aware of instances of the data being used or published, and had not received a ransom demand.
EasyPark Group said it discovered the breach on 10 December, and started informing all affected customers days later. Sweden’s privacy regulator has been notified as the lead authority for the EU, while the Information Commissioner’s Office in the UK and the Swiss data regulator have also been informed.
EasyPark said that, for affected customers, “a few digits of your IBAN or credit card number” were part of the breach but no combination of the stolen data could be used to make payments. However, it warned that customers should be mindful of phishing, when attackers use some information to fool people into giving away money or payment details.