Europe’s largest parking app operator, EasyPark Group, has voluntarily reported a security breach to information regulators in both the EU and the UK. The incident involved unauthorized access by hackers, resulting in the theft of customer information.
EasyPark Group, which owns brands like RingGo and ParkMobile, disclosed that the compromised data included customer names, phone numbers, addresses, email addresses, and partial credit card numbers. However, the company emphasized that parking data remained secure and unaffected by the cyber-attack.
While EasyPark did not specify the exact number of affected users, it acknowledged that 950 RingGo users in the UK were among those impacted. A spokesperson noted that “the majority of users affected are users in Europe on the EasyPark brand,” indicating that potentially thousands of customers’ data had been exposed.
This security breach underscores the growing centralization of parking services globally, with digital platforms replacing traditional meters and attendants. While digital solutions offer convenience, the incident highlights the heightened risk associated with the central collection of sensitive location data, which could be exploited for tracking individuals.
EasyPark, claiming to be Europe’s largest parking app by coverage, faces competition from rivals like PayByPhone and JustPark in Europe and ParkWhiz and SpotHero in the US. The company, owned by private equity firms Vitruvian Partners and Verdane, operates in over 4,000 cities across 23 countries.
The breach was discovered on December 10, with affected customers being notified shortly afterward. EasyPark Group reassured users that the stolen data, which included only a few digits of IBAN or credit card numbers, could not be used for making payments.
However, the company cautioned users about the potential for phishing attacks, where attackers may use stolen information to deceive individuals into revealing more sensitive details.
The incident has been reported to Sweden’s privacy regulator as the lead authority for the EU, along with notifications to the UK’s Information Commissioner’s Office and the Swiss data regulator. As of the company’s statement, there were no indications of the stolen data being used or published, and no ransom demands had been received.