UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats
from the as-secure-as-an-unlocked,-vellum-paper-door dept
Another day, another self-inflicted privacy breach. This time it’s a UK private parking enforcement contractor that’s leaving its supposedly-secret stuff right out in the open.
UK Parking Control (UKPC) is accused of revealing photographs of Brits’ cars parked with number plates clearly to be read and in some cases the location revealed. In some images it’s alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images – allegedly made easily accessible to anyone on the UKPC website – exposed drivers’ personal information.
When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC’s site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It’s a slick system, but its “security” is easily thwarted by a process AT&T might find strangely familiar.
[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people’s vehicles… Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.
As you may recall, tweaking URLs allowed “Weev” to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.
A blog called Nutsville, which has been a longtime critic of the UK’s private parking enforcement, posted several photos obtained from UKPC’s website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers’ identification cards.
After the Register reported this story, the UK Information Commissioner’s office pledged to investigate the leak. UKPC hasn’t publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville’s response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.
The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by “using a password, without authorisation, to access their website.” Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC’s site by manipulating values in the URL themselves. From that point on, UKPC’s legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville’s actions. Mere sentences later, the lawyer threatens “injunctive High Court proceedings,” suddenly making it a civil matter. On top of that, UKPC’s rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.
As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.
The most disappointing aspect of this story is UKPC’s response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about “unauthorized access” or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.
Filed Under: hacking, legal threats, parking enforcement, privacy, security, uk, urls
Companies: uk parking control, ukpc
Comments on “UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats”
This is nothing compared to high level NHS employees and intelligence personnel leaving files and laptops with sensitive data on the bus or train.
It has been said many times before and will be said many times again; when it comes to security, the weakest part of any system is the user.
Re: Re:
Not sure I agree.
At least when people forget their laptops they have explaining to do when they get back to the office.
Lazy “security” like this could have been abused since the system was set up and we wouldn’t know.
Re: Re:
Yes and no. With things like laptops and USB sticks being left around, it’s a combination of both. Sure, the user should have been more careful, but whoever’s in charge of policy should be making damn sure those things are encrypted and locked down before leaving the building. So blame to share all around in those cases, even if the ultimate fault is with the dumbass who left his laptop in a taxi.
With this URL security issue, it’s whoever designed the system who’s at fault, not a user. The weakest point of any system is the weakest point. If you have a strong IT policy but dumb users, the users are the weak point. If you have highly trained users but a badly designed/maintained system, then it’s the system.
That’s why I say exploit the damn breach to your heart’s content and don’t say a word. The risk of getting slammed with some lawsuit or prison sentence is too big. Since this seems to be the usual reaction then why not use such breaches in a profitable way?
(btw, I’m joking around I’d not use any security flaw for my personal gain. However given the current climate I’d not inform the company of the breach.)
UKPC ticketed my car repeatidly a few years ago.
I got loads of bogus legal threats from them, they eventually gave up but not before sending me many “Final” notices before court action. Many laughs ensued each letter I got.
I think I researched their ‘solicitor’ who’s registered company address was the same as UKPC.
I’m fusking disgusted
Breach of privacy? The photos were taken in a public place, with the possession in clear view.
Re: Re:
Say, mind if I follow you around and post pictures of everywhere you go in public?
Re: Re:
Idiot. On those that displayed parking badges, those badges contain not only personally identifiable information, but also that person’s NI number. At least keep it hidden to only that ticket issuee.
Re: Re: Re:
Are the parking badges displayed on the vehicle?
If so, all that information is already publicly viewable.
Re: Re: Re: Re:
What, even that on the reverse?
Re: Re: Re:2 Re:
Can it be seen publicly by anybody who walks by and looks?
Re: Re: Re:3 Re:
Not without contorting to strange and narrow angles, which from the images, it looks like the wardens did.
Ridiculous claims of “url hacking” will soon, no doubt, be made by ill informed self proclaimed experts.
D?j? vu.
On a side note, when you have a strange feeling that this has never happened before – are you experiencing vuja de?
Re: Re:
No, that’s called impossible!
on par with most of what comes from the UK. never got their brains in gear before their mouths are in action!
Legal threat "makes sense"
While the situation is rather silly, having read the actual legal threat is seems perfectly accurate (within UK law).
They start by pointing out that the photos were obtained in breach of the Computer Misuse Act, which is probably true. Under the generic unauthorised access offence there isn’t really any requirement that the stuff be password protected etc., merely that it is accessed, without authorisation. So, as with the other cases mentioned above, there’s a reasonable chance whoever obtained them committed a crime in doing so, and so they are being reported to the police. The law may be a bit silly, but the legal threat makes sense.
While Nutsville may not be committing any crimes (although I’m not sure), the police could be informed of their involvement as part of the above investigation, so nothing wrong there.
The stuff about injunctive relief in the High Court is a separate thing; that’s about getting the content removed from the website (possibly through misuse of private information). Yes, the lawyers should have specified what their cause of action would have been, but it isn’t rare for a situation to have both civil and criminal elements.
Treating it as a joke and making fun of the solicitors may be popular, but could come back to hurt them later.
Re: Legal threat "makes sense"
Totally off topic (well maybe not after your last sentence) did you get a hug yesterday ? 😉
[Though what’s with point 8? are your marketing/ethics rules changing???? ]
Use a URL, go to jail
Didn’t we just lock up the guy who exposed AT&T’s sloppy security vis-a-vis iPad owners for doing nothing more than visiting unadvertised URL’s? Seems like exactly what this guy did. So at least here in the state’s he’d likely be guilty of a federal offense. Which is total fu**ing insanity, but that’s the law as it stands today.
Also, here in the U.S. if it’s visible from somewhere public, you can shoot it and post it. UK is likely different, they’ve got some god-awful laws about that kind of stuff.