HUGE Parking Ticket Data Breach Highlights Business Security Weaknesses

A private database of parking ticket details for almost 10,000 motorists has been published online.

The firm reportedly responsible for the gaff is PaymyPCN.net, which collects driver penalty charges and has a direct link to the Driver and Vehicle Licensing Agency (DVLA) database.

Safeguarding privacy?

The company allows drivers to pay for parking fines and appeal parking them through its website, and describes itself as a PCI DSS compliant payment processor dedicated to safeguarding motorists’ privacy with data encryption.

Sky News reported that PaymyPCN.net accidentally sent the data, meant only for use by police and licensed parking firms, to one of its customers who then published it on the Internet.

The content included customer names and addresses, emails regarding penalty charge appeals, and photographs of motorists and their vehicles taken by enforcement officers.

Sol Cates, chief security officer at data security firm Vormetric, said the incident highlights companies’ security weakness at database level.

He said: “Though the spectrum of threats facing the data and information we hold dear continues to evolve and multiply, and as new technologies such as cloud and big data increasingly expose businesses to other modes of attack, it seems that too many are still unprepared for attacks at the database level. Indeed, this breach at PaymyPCN.net demonstrates that even with basic IT security measures in place, perimeters are still permeable.

“In this case, although the information was encrypted, just as important is the control of access to the encrypted information – and this is where PaymyPCN.net appears to have failed.”

Encryption without access controls is of limited value – protecting only against physical loss or theft of a device with sensitive data. Unfortunately, the compromised data, which included drivers’ names, emails, photographs and addresses, is the type that can be easily used by hackers looking to craft social engineering scams later down the line.

Cates added: “Failure to understand every mode of access or every potential exposure point in the business network is simply a breach waiting to happen – in this case, the business has learned the hard way. Protecting data no matter where it is stored and to whom it is transferred requires a combination of technologies to combat sophisticated threats.

“Deploying encryption and access control for data at rest, Database Activity Monitoring (DAM) and Security Information and Event Management (SIEM) to gather together information on what is happening to data means that organisations can identify breaches as and when they occur, as well as spot advanced threats, compromised accounts and malicious insiders before it is too late.”

How much do you know about database systems? Take our quiz!

Duncan Macrae

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

View Comments

  • and that's why this type information should never be allowed to be handled by private firms. Driver information etc., should be only be available to the police and no one else - the selling off of citizens data is a total breach of trust by the government

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago