UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats
from the as-secure-as-an-unlocked,-vellum-paper-door dept
Another day, another self-inflicted privacy breach. This time it's a UK private parking enforcement contractor that's leaving its supposedly-secret stuff right out in the open.
UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC's site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It's a slick system, but its "security" is easily thwarted by a process AT&T might find strangely familiar.
[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.As you may recall, tweaking URLs allowed "Weev" to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.
A blog called Nutsville, which has been a longtime critic of the UK's private parking enforcement, posted several photos obtained from UKPC's website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers' identification cards.
After the Register reported this story, the UK Information Commissioner's office pledged to investigate the leak. UKPC hasn't publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville's response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.
The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by "using a password, without authorisation, to access their website." Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC's site by manipulating values in the URL themselves. From that point on, UKPC's legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville's actions. Mere sentences later, the lawyer threatens "injunctive High Court proceedings," suddenly making it a civil matter. On top of that, UKPC's rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.
As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.
The most disappointing aspect of this story is UKPC's response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about "unauthorized access" or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, legal threats, parking enforcement, privacy, security, uk, urls
Companies: uk parking control, ukpc
Reader Comments
Subscribe: RSS
View by: Time | Thread
It has been said many times before and will be said many times again; when it comes to security, the weakest part of any system is the user.
[ link to this | view in chronology ]
Re:
At least when people forget their laptops they have explaining to do when they get back to the office.
Lazy "security" like this could have been abused since the system was set up and we wouldn't know.
[ link to this | view in chronology ]
Re:
With this URL security issue, it's whoever designed the system who's at fault, not a user. The weakest point of any system is the weakest point. If you have a strong IT policy but dumb users, the users are the weak point. If you have highly trained users but a badly designed/maintained system, then it's the system.
[ link to this | view in chronology ]
(btw, I'm joking around I'd not use any security flaw for my personal gain. However given the current climate I'd not inform the company of the breach.)
[ link to this | view in chronology ]
I got loads of bogus legal threats from them, they eventually gave up but not before sending me many "Final" notices before court action. Many laughs ensued each letter I got.
I think I researched their 'solicitor' who's registered company address was the same as UKPC.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
If so, all that information is already publicly viewable.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Déjà vu.
On a side note, when you have a strange feeling that this has never happened before - are you experiencing vuja de?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Legal threat "makes sense"
They start by pointing out that the photos were obtained in breach of the Computer Misuse Act, which is probably true. Under the generic unauthorised access offence there isn't really any requirement that the stuff be password protected etc., merely that it is accessed, without authorisation. So, as with the other cases mentioned above, there's a reasonable chance whoever obtained them committed a crime in doing so, and so they are being reported to the police. The law may be a bit silly, but the legal threat makes sense.
While Nutsville may not be committing any crimes (although I'm not sure), the police could be informed of their involvement as part of the above investigation, so nothing wrong there.
The stuff about injunctive relief in the High Court is a separate thing; that's about getting the content removed from the website (possibly through misuse of private information). Yes, the lawyers should have specified what their cause of action would have been, but it isn't rare for a situation to have both civil and criminal elements.
Treating it as a joke and making fun of the solicitors may be popular, but could come back to hurt them later.
[ link to this | view in chronology ]
Re: Legal threat "makes sense"
[Though what's with point 8? are your marketing/ethics rules changing???? ]
[ link to this | view in chronology ]
Use a URL, go to jail
Also, here in the U.S. if it's visible from somewhere public, you can shoot it and post it. UK is likely different, they've got some god-awful laws about that kind of stuff.
[ link to this | view in chronology ]