UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats

from the as-secure-as-an-unlocked,-vellum-paper-door dept

Another day, another self-inflicted privacy breach. This time it’s a UK private parking enforcement contractor that’s leaving its supposedly-secret stuff right out in the open.

UK Parking Control (UKPC) is accused of revealing photographs of Brits’ cars parked with number plates clearly to be read and in some cases the location revealed. In some images it’s alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images – allegedly made easily accessible to anyone on the UKPC website – exposed drivers’ personal information.

When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC’s site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It’s a slick system, but its “security” is easily thwarted by a process AT&T might find strangely familiar.

[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people’s vehicles… Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

As you may recall, tweaking URLs allowed “Weev” to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.

A blog called Nutsville, which has been a longtime critic of the UK’s private parking enforcement, posted several photos obtained from UKPC’s website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers’ identification cards.

After the Register reported this story, the UK Information Commissioner’s office pledged to investigate the leak. UKPC hasn’t publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville’s response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.

The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by “using a password, without authorisation, to access their website.” Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC’s site by manipulating values in the URL themselves. From that point on, UKPC’s legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville’s actions. Mere sentences later, the lawyer threatens “injunctive High Court proceedings,” suddenly making it a civil matter. On top of that, UKPC’s rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.

As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.

The most disappointing aspect of this story is UKPC’s response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about “unauthorized access” or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.

Filed Under: , , , , , ,
Companies: uk parking control, ukpc

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats”

Subscribe: RSS Leave a comment
PaulT (profile) says:

Re: Re:

Yes and no. With things like laptops and USB sticks being left around, it’s a combination of both. Sure, the user should have been more careful, but whoever’s in charge of policy should be making damn sure those things are encrypted and locked down before leaving the building. So blame to share all around in those cases, even if the ultimate fault is with the dumbass who left his laptop in a taxi.

With this URL security issue, it’s whoever designed the system who’s at fault, not a user. The weakest point of any system is the weakest point. If you have a strong IT policy but dumb users, the users are the weak point. If you have highly trained users but a badly designed/maintained system, then it’s the system.

Ninja (profile) says:

That’s why I say exploit the damn breach to your heart’s content and don’t say a word. The risk of getting slammed with some lawsuit or prison sentence is too big. Since this seems to be the usual reaction then why not use such breaches in a profitable way?

(btw, I’m joking around I’d not use any security flaw for my personal gain. However given the current climate I’d not inform the company of the breach.)

Anonymous Coward says:

UKPC ticketed my car repeatidly a few years ago.

I got loads of bogus legal threats from them, they eventually gave up but not before sending me many “Final” notices before court action. Many laughs ensued each letter I got.

I think I researched their ‘solicitor’ who’s registered company address was the same as UKPC.

Duke (profile) says:

Legal threat "makes sense"

While the situation is rather silly, having read the actual legal threat is seems perfectly accurate (within UK law).

They start by pointing out that the photos were obtained in breach of the Computer Misuse Act, which is probably true. Under the generic unauthorised access offence there isn’t really any requirement that the stuff be password protected etc., merely that it is accessed, without authorisation. So, as with the other cases mentioned above, there’s a reasonable chance whoever obtained them committed a crime in doing so, and so they are being reported to the police. The law may be a bit silly, but the legal threat makes sense.

While Nutsville may not be committing any crimes (although I’m not sure), the police could be informed of their involvement as part of the above investigation, so nothing wrong there.

The stuff about injunctive relief in the High Court is a separate thing; that’s about getting the content removed from the website (possibly through misuse of private information). Yes, the lawyers should have specified what their cause of action would have been, but it isn’t rare for a situation to have both civil and criminal elements.

Treating it as a joke and making fun of the solicitors may be popular, but could come back to hurt them later.

aidian says:

Use a URL, go to jail

Didn’t we just lock up the guy who exposed AT&T’s sloppy security vis-a-vis iPad owners for doing nothing more than visiting unadvertised URL’s? Seems like exactly what this guy did. So at least here in the state’s he’d likely be guilty of a federal offense. Which is total fu**ing insanity, but that’s the law as it stands today.

Also, here in the U.S. if it’s visible from somewhere public, you can shoot it and post it. UK is likely different, they’ve got some god-awful laws about that kind of stuff.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...