Data leak at parking garage operator APCOA
At the parking garage operator APCOA, invoices from corporate customers and digital tickets could be viewed by incrementing a parameter in the URL.
(Image: EA March/Shutterstock.com)
There was a data leak at APCOA, the largest parking garage operator in Europe, which made it possible to view customer data, among other things. Invoices from corporate customers and digital tickets for Android and Apple Wallet could be accessed. To exploit the gap, it was sufficient to count up or down the booking number at the end of a URL that could be viewed by customers.
All data in one database
Many different locations where APCOA offers its service are affected. During our research, we were able to retrieve data from parking garages in Germany, Denmark, Poland, Ireland and Italy. APCOA claims to operate 12,000 locations in twelve European countries, including those at 58 European airports. It is worth noting that the booking systems are usually accessible online under the domain of the airport where the parking garage is located, for example. In the background, however, APCOA appears to have only one database with one number range, as it was possible to display the data records of other APCOA locations under one URL by incrementing or decrementing the number.
In the invoices issued to corporate customers, both the address of the company and the name of the client were visible. The period in which the vehicle was to be parked and the location at which the service was booked was also visible. For example, "P2 BER Terminal T1 & T2".
The digital tickets for the wallets did not contain any names, but did contain the vehicle's license plate number, the booking period and, in some cases, the vehicle model. For example, we were able to see from a data record that a Porsche Targa with a certain license plate number was to be parked at Parcheggio Airport in the "P3 Outdoor Car Park" from 08:00 on 26.03.2025 to 23:30 on 29.03.2025.
Invoices and tickets dating back to 2019 were visible. The company had activated automated anonymization of individual data for older data records. The data was fully visible in documents dating back to 2025 and partially visible in documents dating back to 2024. All older invoices only contained anonymized data.
Videos by heise
Technically trivial gap
A reader discovered the problem and contacted the heise-Investigativ team with his concerns. He had changed the invoice number at the end of the URL when receiving his ticket and noticed that he could also view other data.
On April 16, 2025, we contacted APCOA and its data protection officer. The company responded on April 24, stating that, according to its own analysis, no systematic outflow of data had taken place. The company also speaks of a "practically low risk" with regard to manipulation and the discovery of the security vulnerability by customers.
APCOA applied a hotfix to its systems on April 17, 2025, which fixed the problem. The editorial team was informed the very next day. Since then, a hash has been checked in addition to the booking number.
An old acquaintance (error)
APCOA is not the first operator of online services to use easily guessable URL parameters and thus make customer data accessible. We have repeatedly reported on similar cases in the past. In 2022, c't reported on an almost identical case in which the same procedure was used to access customer data from the hotel at Legoland in Bavaria.
When vaccination and testing centers were set up quickly after the start of the coronavirus pandemic in 2020, some of which were equipped with shirt-sleeved online appointments, this error was very popular.
The non-profit Open Worldwide Application Security Project (OWASP), which maintains a top 10 list of security vulnerabilities, is also well aware of similar problems. The"Broken Access Control" error, which also includes a URL without further authorization checks, takes first place in the current OWASP evaluation.
(tlz)
