A private database of parking ticket details for almost 10,000 motorists has been published online.
The firm reportedly responsible for the gaff is PaymyPCN.net, which collects driver penalty charges and has a direct link to the Driver and Vehicle Licensing Agency (DVLA) database.
The company allows drivers to pay for parking fines and appeal parking them through its website, and describes itself as a PCI DSS compliant payment processor dedicated to safeguarding motorists’ privacy with data encryption.
Sky News reported that PaymyPCN.net accidentally sent the data, meant only for use by police and licensed parking firms, to one of its customers who then published it on the Internet.
The content included customer names and addresses, emails regarding penalty charge appeals, and photographs of motorists and their vehicles taken by enforcement officers.
Sol Cates, chief security officer at data security firm Vormetric, said the incident highlights companies’ security weakness at database level.
“In this case, although the information was encrypted, just as important is the control of access to the encrypted information – and this is where PaymyPCN.net appears to have failed.”
Encryption without access controls is of limited value – protecting only against physical loss or theft of a device with sensitive data. Unfortunately, the compromised data, which included drivers’ names, emails, photographs and addresses, is the type that can be easily used by hackers looking to craft social engineering scams later down the line.
Cates added: “Failure to understand every mode of access or every potential exposure point in the business network is simply a breach waiting to happen – in this case, the business has learned the hard way. Protecting data no matter where it is stored and to whom it is transferred requires a combination of technologies to combat sophisticated threats.
“Deploying encryption and access control for data at rest, Database Activity Monitoring (DAM) and Security Information and Event Management (SIEM) to gather together information on what is happening to data means that organisations can identify breaches as and when they occur, as well as spot advanced threats, compromised accounts and malicious insiders before it is too late.”
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
and that's why this type information should never be allowed to be handled by private firms. Driver information etc., should be only be available to the police and no one else - the selling off of citizens data is a total breach of trust by the government