UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats

from the as-secure-as-an-unlocked,-vellum-paper-door dept

Another day, another self-inflicted privacy breach. This time it's a UK private parking enforcement contractor that's leaving its supposedly-secret stuff right out in the open.

UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.
When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC's site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It's a slick system, but its "security" is easily thwarted by a process AT&T might find strangely familiar.
[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.
As you may recall, tweaking URLs allowed "Weev" to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.

A blog called Nutsville, which has been a longtime critic of the UK's private parking enforcement, posted several photos obtained from UKPC's website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers' identification cards.

After the Register reported this story, the UK Information Commissioner's office pledged to investigate the leak. UKPC hasn't publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville's response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.

The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by "using a password, without authorisation, to access their website." Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC's site by manipulating values in the URL themselves. From that point on, UKPC's legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville's actions. Mere sentences later, the lawyer threatens "injunctive High Court proceedings," suddenly making it a civil matter. On top of that, UKPC's rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.

As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.

The most disappointing aspect of this story is UKPC's response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about "unauthorized access" or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.



Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Zakida Paul (profile), Apr 10th, 2013 @ 3:44am

    This is nothing compared to high level NHS employees and intelligence personnel leaving files and laptops with sensitive data on the bus or train.

    It has been said many times before and will be said many times again; when it comes to security, the weakest part of any system is the user.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 10th, 2013 @ 3:54am

      Re:

      Not sure I agree.
      At least when people forget their laptops they have explaining to do when they get back to the office.

      Lazy "security" like this could have been abused since the system was set up and we wouldn't know.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      PaulT (profile), Apr 10th, 2013 @ 4:13am

      Re:

      Yes and no. With things like laptops and USB sticks being left around, it's a combination of both. Sure, the user should have been more careful, but whoever's in charge of policy should be making damn sure those things are encrypted and locked down before leaving the building. So blame to share all around in those cases, even if the ultimate fault is with the dumbass who left his laptop in a taxi.

      With this URL security issue, it's whoever designed the system who's at fault, not a user. The weakest point of any system is the weakest point. If you have a strong IT policy but dumb users, the users are the weak point. If you have highly trained users but a badly designed/maintained system, then it's the system.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Apr 10th, 2013 @ 4:14am

    That's why I say exploit the damn breach to your heart's content and don't say a word. The risk of getting slammed with some lawsuit or prison sentence is too big. Since this seems to be the usual reaction then why not use such breaches in a profitable way?

    (btw, I'm joking around I'd not use any security flaw for my personal gain. However given the current climate I'd not inform the company of the breach.)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2013 @ 4:18am

    UKPC ticketed my car repeatidly a few years ago.

    I got loads of bogus legal threats from them, they eventually gave up but not before sending me many "Final" notices before court action. Many laughs ensued each letter I got.

    I think I researched their 'solicitor' who's registered company address was the same as UKPC.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2013 @ 4:36am

    I'm fusking disgusted

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Pete, Apr 10th, 2013 @ 4:43am

    Breach of privacy? The photos were taken in a public place, with the possession in clear view.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2013 @ 5:13am

    Ridiculous claims of "url hacking" will soon, no doubt, be made by ill informed self proclaimed experts.
    Déjà vu.

    On a side note, when you have a strange feeling that this has never happened before - are you experiencing vuja de?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 10th, 2013 @ 5:24am

    on par with most of what comes from the UK. never got their brains in gear before their mouths are in action!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Duke (profile), Apr 10th, 2013 @ 7:13am

    Legal threat "makes sense"

    While the situation is rather silly, having read the actual legal threat is seems perfectly accurate (within UK law).

    They start by pointing out that the photos were obtained in breach of the Computer Misuse Act, which is probably true. Under the generic unauthorised access offence there isn't really any requirement that the stuff be password protected etc., merely that it is accessed, without authorisation. So, as with the other cases mentioned above, there's a reasonable chance whoever obtained them committed a crime in doing so, and so they are being reported to the police. The law may be a bit silly, but the legal threat makes sense.

    While Nutsville may not be committing any crimes (although I'm not sure), the police could be informed of their involvement as part of the above investigation, so nothing wrong there.

    The stuff about injunctive relief in the High Court is a separate thing; that's about getting the content removed from the website (possibly through misuse of private information). Yes, the lawyers should have specified what their cause of action would have been, but it isn't rare for a situation to have both civil and criminal elements.

    Treating it as a joke and making fun of the solicitors may be popular, but could come back to hurt them later.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    aidian, Apr 10th, 2013 @ 7:19am

    Use a URL, go to jail

    Didn't we just lock up the guy who exposed AT&T's sloppy security vis-a-vis iPad owners for doing nothing more than visiting unadvertised URL's? Seems like exactly what this guy did. So at least here in the state's he'd likely be guilty of a federal offense. Which is total fu**ing insanity, but that's the law as it stands today.

    Also, here in the U.S. if it's visible from somewhere public, you can shoot it and post it. UK is likely different, they've got some god-awful laws about that kind of stuff.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This