A private database of parking ticket details for almost 10,000 motorists has been published online.
The firm reportedly responsible for the gaff is PaymyPCN.net, which collects driver penalty charges and has a direct link to the Driver and Vehicle Licensing Agency (DVLA) database.
The company allows drivers to pay for parking fines and appeal parking them through its website, and describes itself as a PCI DSS compliant payment processor dedicated to safeguarding motorists’ privacy with data encryption.
Sky News reported that PaymyPCN.net accidentally sent the data, meant only for use by police and licensed parking firms, to one of its customers who then published it on the Internet.
The content included customer names and addresses, emails regarding penalty charge appeals, and photographs of motorists and their vehicles taken by enforcement officers.
Sol Cates, chief security officer at data security firm Vormetric, said the incident highlights companies’ security weakness at database level.
“In this case, although the information was encrypted, just as important is the control of access to the encrypted information – and this is where PaymyPCN.net appears to have failed.”
Encryption without access controls is of limited value – protecting only against physical loss or theft of a device with sensitive data. Unfortunately, the compromised data, which included drivers’ names, emails, photographs and addresses, is the type that can be easily used by hackers looking to craft social engineering scams later down the line.
Cates added: “Failure to understand every mode of access or every potential exposure point in the business network is simply a breach waiting to happen – in this case, the business has learned the hard way. Protecting data no matter where it is stored and to whom it is transferred requires a combination of technologies to combat sophisticated threats.
“Deploying encryption and access control for data at rest, Database Activity Monitoring (DAM) and Security Information and Event Management (SIEM) to gather together information on what is happening to data means that organisations can identify breaches as and when they occur, as well as spot advanced threats, compromised accounts and malicious insiders before it is too late.”
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
and that's why this type information should never be allowed to be handled by private firms. Driver information etc., should be only be available to the police and no one else - the selling off of citizens data is a total breach of trust by the government