Parking-garage operator SP Plus Corp. says card readers at 17 garages it operates were hacked this fall, with one breach extending back to April.
Chicago-based SP Plus says the company that provides and maintains the payment card systems in the 17 garages—10 are in Chicago, three in Evanston, Ill., two in Philadelphia, and one each in Cleveland and Seattle—alerted it to the breach. The hacker used the provider’s remote access tool to connect to computers that process payments.
With that access, the hacker was able to install malicious software that may have been able to capture the cardholder’s name, card-number expiration date, and card verification code, SP Plus says.
SP Plus says it launched an investigation and hired a computer-forensics firm to determine the extent of the breach.
SP Plus also says it lacks sufficient information about the breach to identify whether any specific cards were taken or to mail notification letters to affected cardholders. The malware has been disabled, the company says, and is requiring the vendor, which it did not identify, to use two-factor authentication methods for remote access.
The malware was active at most of the garages beginning in late September or early October through late October or early November. The exception was a garage in Seattle, in which the malware was active from April 14 through Oct. 31.
SP Plus operates approximately 4,200 parking facilities under the Standard Parking and Central Parking brands.