Smart parking provider ParkMobile will learn in mid-March 2025 if the federal judge adjudicating the class action lawsuit filed against the company in the wake of its 2021 data breach will finalize a proposed $32.8 million settlement of the case.
Entitled Baker, et al. v. ParkMobile, LLC, the case involves 7 named plaintiffs and a class of approximately 21 million members who were affected by the 2021 data breach. The proposed agreement is pending in the U.S. District Court for the Northern District of Georgia, Atlanta Division.
The planned settlement has garnered significant media attention nationally, including a December 10 article in USA Today and a December 13 story in Forbes.
The 2021 breach
ParkMobile announced the data breach incident in March 2021, noting that it had become “aware of a cybersecurity incident linked to a vulnerability in a third-party software” that it was using, according to a March 26, 2021, notification on the ParkMobile Help Center. At the time, the company stated that it had taken “additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems,” according to the March 26 notification.
A few weeks later, ParkMobile elaborated on the types of data that the unauthorized and unknown actors had accessed. “Our investigation concluded that encrypted passwords, but not the encryption keys needed to read them, were accessed,” according to an April 13, 2021, notification on the company’s Help Center. “While we protect user passwords by encrypting them with advanced hashing and salting technologies, as an added precaution, users may consider changing their passwords in the ‘Settings’ section of the ParkMobile app or by clicking this link,” the company stated.
At the same time, ParkMobile also confirmed that the hackers accessed “basic user information — license plate numbers and, if provided by the user, email addresses and/or phone numbers, and vehicle nicknames,” according to the April 13 notification. “In a small percentage of cases, mailing addresses were affected. No credit cards or parking transaction history were accessed, and we do not collect Social Security numbers, driver’s license numbers, or dates of birth.”
After attempting to sell the stolen data, the hackers “released the data stolen from ParkMobile on the dark web for free in a .csv file (a type of excel-like spreadsheet),” according to the Second Amended Consolidated Class Complaint filed by the plaintiffs with the court in late August 2022. “Because the stolen ParkMobile data has been posted publicly, it is now freely available for any threat actor to perpetrate scams, fraud, identity theft, or some combination of the three against Plaintiffs’ and the Class,” according to the complaint. “In other words, each are at a substantial and continued risk of future harm.”
‘Not an admission of liability or any wrongdoing’
For its part, ParkMobile denies the allegations and all liability associated with the plaintiffs’ claims. The proposed settlement is “not an admission of liability or any wrongdoing,” said Haley Haas, the company’s group PR manager, North America.
“Our decision to settle the case enables us to focus on the ongoing protection of our customers' information and to continue enhancing our services,” Haas said. “We prioritize the protection of our customers and their data, continuously enhancing our security posture and monitoring based on industry best practices.”
ParkMobile, which was acquired by the EasyPark Group in June 2021, “continues to monitor our technical infrastructure to identify and minimize any risk of a similar incident happening again,” Haas said. “As an additional security measure, we have upgraded to passwordless authentication for a more secure and convenient experience.”
As for lessons learned from the incident that ParkMobile can share with other parking companies, Haas noted that “technical infrastructure is continually evolving, and so should companies' security measures.” She continued: “We are continuously monitoring for suspicious activity and working alongside expert security teams to further strengthen and protect our customers.”
Terms of the settlement
Under the terms of the proposed settlement, ParkMobile will provide $300,000 for administrative costs and pay $9 million into a fund that will be used to pay up to $25 to individual class members electing to take a cash payment. Class members who elect not to receive a cash payment will receive a $1 credit via email from ParkMobile that they may use in the company’s app.
This credit, which will have an overall cap of $21 million, “will apply to the ParkMobile fee on parking transaction(s) [and] not to the fee owed to the parking premises/owner (which is not in ParkMobile’s control),” according to the proposed settlement. “The credit will sunset after one year as is required for accounting purposes, except for California residents for whom it will not sunset.”
The agreement also includes a $2.5 million “credit for business remedial measures implemented by ParkMobile,” according to the proposed settlement. The company will provide the plaintiffs with a declaration “attesting to enhanced data security procedures put in place subsequent to the Data Security Incident,” according to the proposed settlement. “Plaintiffs will verify the information contained therein.”
The court is scheduled to hold a hearing on the final approval of the settlement on March 13, 2025, at the Richard B. Russell Federal Building and U.S. Courthouse in Atlanta. The court has appointed two attorneys to represent the settlement class: MaryBeth V. Gibson of Gibson Consumer Law Group, LLC, of Atlanta, and Art Murray of the Murray Law Firm, of New Orleans. ParkMobile is represented by the law firm Shook, Hardy, and Bacon LLP, of Atlanta. (More details about the proposed settlement are available here.)
Jay Landers is the editor-in-chief of Parking Today. He can be reached at jay@parkingtoday.com.
