San Francisco’s transport agency exposes drivers’ parking permits and addresses


A misconfiguration in the Metropolitan Transportation Commission (MTC) systems caused a leak of over 26K files, exposing clients’ parking permits and home addresses.

The MTC is a governmental agency responsible for regional transportation planning and financing in the San Francisco Bay Area.

The latest research by Cybernews shows that the agency left public access to Amazon Web Services (AWS) buckets storing over 26,000 files.

Leaked files included PDF files with Bay Area Rapid Transit (BART) carpool parking permits sent out by the agency. The permits were obtained through the 511.org website, an online platform providing transportation information in the Bay Area.

Thousands of leaked permits exposed the users' full names and home addresses. Our researchers found that the letters are dated between 2016 and 2021.

The researchers contacted MTC, and public access to the data was closed. Cybernews reached out to MTC for an official comment but has yet to hear back from them.

While the leaked parking permits are no longer valid, malicious actors could use the exposed data for identity theft and to craft spear phishing attacks.

MTC data
Screenshot of a leaked permit. Image by Cybernews

Staying safe

To mitigate the potential risks, MTC should:

  • Review access logs retrospectively to identify any unauthorized access by third parties.
  • Conduct a post-incident investigation to gather insights from the incident and bolster the company's security posture.
  • Verify the configuration of their private cloud instances to ensure that they’re properly configured.
  • Consider implementing best security practices, including regular audits, automated security checks, and employee training.

Updated on October 27 [01:15 PM GMT]. The original version of the article incorrectly stated that a misconfiguration in the Metropolitan Transportation Commission (MTC) systems caused a leak of clients‘ vehicle plate numbers. In actuality, among other data, vehicle permit numbers and not vehicle registration numbers were exposed. The headline and the remaining paragraphs were updated to reflect the correct data.


More from Cybernews:

Blue teams on the edge: cyber pros seem to hate their jobs

FCC issues first-ever space debris penalty worth $150K

Anonymous-affiliate Discord leak spells bad news for Russia

EU users may soon have to pay for ad-free Instagram and Facebook

Spotify seems to be working on a new feature: AI playlists

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked