UPDATE: We have tried to contact SP+, the City’s parking contractor, and they are unwilling to make any statement at this time regarding the breach. We did speak with Rhonda Wardlaw (Annapolis Public Information Officer) and she did tell us that at this point they do not know the extent of the breach; but that the malware was discovered. We asked about credit monitoring services and she said that it is not a case of identity theft at this point. The only information that appears to have possibly been compromised is a credit card number, name, expiration, and CVV number. This information might allow someone to make an unauthorized purchase on that card; but alone, would not be enough to compromise someone’s identity. The city is taking a proactive approach and giving people the opportunity to call their credit card companies and place flags on their accounts. Additional information is available at www.annapolis.gov
Mayor Michael Pantelides announces that the city is working closely with the Maryland Attorney General’s Office and SP+, the city’s comprehensive parking firm, to address a potential data security event that was reported at the Noah Hillman Garage, Gotts Court Garage, and Knighton Garage parking facilities.
According to a preliminary investigation, the event may have affected transient parkers that used a credit card or debit card for payment at the city parking facilities between December 23, 2015 and June 11, 2016.
On June 11, 2016, SP+ representatives notified the city that they noticed suspicious activity on the servers at the three parking facilities. SP+ had been advised that malware may have been installed on December 23, 2015 while garage management was under a previous parking vendor contract. If confirmed by forensic analysis, the type of malware discovered has the capability to access credit card and debit card account numbers, names of cardholders, card expiration dates, and the CVV number on the back of credit and debit cards. SP+ switched all of the city’s parking facilities to cash payment only, and took the servers out of use. SP+ has hired a firm to perform a forensic investigation, and has notified applicable credit card companies.
Because it appears now that only transient parkers may have been affected as a result of this event, individuals who used monthly garage permits for payment at these parking facilities throughout this time period, as well as participants in the residential parking program, likely are not affected.
The parking facility servers are not in any way tied into the city’s servers and no interactions with City of Annapolis online payments have been compromised. The City of Annapolis does not store any credit card information and firewalls are in place on all computer equipment. Firewalls are kept current with software updates that detect viruses including malware.
If you have any questions, please call (410) 263-7020 Monday-Friday 8:30 a.m. to 4:30 p.m. Eastern Standard Time, e-mail at [email protected], or contact us by regular mail at City of Annapolis, Attn: Data Security Event, 160 Duke of Gloucester Street, Annapolis, MD 21401.
The required legal notification attached has been sent to state media outlets and will be posted on the city’s website at www.annapolis.gov.