Book2Park is the third airport parking site to be breached in as many weeks.
A new batch of stolen credit card numbers was offered for sale last week on the Rescator cybercrime shop, and according to Krebs, several banks found the same pattern among the cards being sold — all had recently been used to make parking reservations at Book2Park.com.
Book2Park.com owner Anna Infante told Krebs that she wasn’t aware of a credit card breach, but that a third party technology firm had recently uncovered and removed malware from the company’s Web server.
“We already took action on this, and we are totally on it,” Infante said. “We are taking all further steps in protecting our customers and reporting this to the proper authorities.”
As Krebs notes, the same hacker group also recently breached the airport parking sites Park ‘N Fly and OneStopParking.com — it’s not clear why online parking reservation systems have become such an attractive target for hackers.
In a similar but unrelated breach, Barbecue Renew, an e-commerce retailer offering grilling accessories, equipment and replacement parts through its website grillparts.com, recently began notifying an undisclosed number of customers that their credit information may have been accessed by hackers (h/t SC Magazine).
Data potentially accessed includes customers’ first and last names, addresses, credit card account numbers, expiration dates and card security codes.
Barbecue Renew was notified twice in October and November of 2014 that banks had uncovered incidents of possible fraud associated with credit cards that had been used at grillparts.com.
“Barbecue Renew immediately notified law enforcement, retained a third party forensic investigator, and took immediate steps to determine what information may have been accessed and the extent of any possible compromise of cardholder data,” the company said in a notification letter [PDF] to those affected.
The investigation determined that cardholder data was exposed on three separate occasions between January 2014 and October 2014.
“We are working with leading IT security firms, data privacy and protection attorneys, law enforcement and payment industry contacts to continue to address this incident,” the company said. “Additionally, we are devoting all necessary resources to our ongoing efforts to enhance our information security policies and procedures in light of this incident to minimize the risk of such incidents in the future.”
And payment processor EgoPay recently acknowledged that it was breached by hackers in late December 2014. The company’s former CEO Tadas Kasputis told CoinDesk that EgoPay’s Bitcoin-related customers lost $1.1 million as a result of the breach.
One customer told CoinDesk he had lost $80,000, and payment solutions company Payeer said it lost $185,503.32.
“False values were made available in the merchants platform, when no actual value was transmitted in Egopay,” the company explained in a blog post. “This hacker then proceeded to convert this fake value into irreversible currencies all within a one hour window.”
After concluding that the attack must have been perpetrated by someone with insider access, EgoPay suspended several suspected employees while the investigation was underway. “Unfortunately, this resulted in our support services being delayed or non-existent,” the company noted.
“Repeatedly while trying to provide answers to our members, something new would unfold making any explanation meaningless,” the company added. “Rightfully, people are upset at us. We failed to communicate. We failed our membership base. We take full responsibility on this.”