UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats

from the as-secure-as-an-unlocked,-vellum-paper-door dept

Wed, Apr 10th 2013 3:38am — Tim Cushing

Another day, another self-inflicted privacy breach. This time it's a UK private parking enforcement contractor that's leaving its supposedly-secret stuff right out in the open.

UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.

When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC's site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It's a slick system, but its "security" is easily thwarted by a process AT&T might find strangely familiar.

[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

As you may recall, tweaking URLs allowed "Weev" to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.

A blog called Nutsville, which has been a longtime critic of the UK's private parking enforcement, posted several photos obtained from UKPC's website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers' identification cards.

After the Register reported this story, the UK Information Commissioner's office pledged to investigate the leak. UKPC hasn't publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville's response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.

The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by "using a password, without authorisation, to access their website." Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC's site by manipulating values in the URL themselves. From that point on, UKPC's legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville's actions. Mere sentences later, the lawyer threatens "injunctive High Court proceedings," suddenly making it a civil matter. On top of that, UKPC's rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.

As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.

The most disappointing aspect of this story is UKPC's response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about "unauthorized access" or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hacking, legal threats, parking enforcement, privacy, security, uk, urls
Companies: uk parking control, ukpc

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Zakida Paul (profile), 10 Apr 2013 @ 3:44am

This is nothing compared to high level NHS employees and intelligence personnel leaving files and laptops with sensitive data on the bus or train.

It has been said many times before and will be said many times again; when it comes to security, the weakest part of any system is the user.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 3:54am

Re:
Not sure I agree.
At least when people forget their laptops they have explaining to do when they get back to the office.

Lazy "security" like this could have been abused since the system was set up and we wouldn't know.
[ link to this | view in thread ]
PaulT (profile), 10 Apr 2013 @ 4:13am

Re:
Yes and no. With things like laptops and USB sticks being left around, it's a combination of both. Sure, the user should have been more careful, but whoever's in charge of policy should be making damn sure those things are encrypted and locked down before leaving the building. So blame to share all around in those cases, even if the ultimate fault is with the dumbass who left his laptop in a taxi.

With this URL security issue, it's whoever designed the system who's at fault, not a user. The weakest point of any system is the weakest point. If you have a strong IT policy but dumb users, the users are the weak point. If you have highly trained users but a badly designed/maintained system, then it's the system.
[ link to this | view in thread ]
Ninja (profile), 10 Apr 2013 @ 4:14am

That's why I say exploit the damn breach to your heart's content and don't say a word. The risk of getting slammed with some lawsuit or prison sentence is too big. Since this seems to be the usual reaction then why not use such breaches in a profitable way?

(btw, I'm joking around I'd not use any security flaw for my personal gain. However given the current climate I'd not inform the company of the breach.)
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 4:18am

UKPC ticketed my car repeatidly a few years ago.

I got loads of bogus legal threats from them, they eventually gave up but not before sending me many "Final" notices before court action. Many laughs ensued each letter I got.

I think I researched their 'solicitor' who's registered company address was the same as UKPC.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 4:36am

I'm fusking disgusted
[ link to this | view in thread ]
Pete, 10 Apr 2013 @ 4:43am

Breach of privacy? The photos were taken in a public place, with the possession in clear view.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 5:04am

Re:
Say, mind if I follow you around and post pictures of everywhere you go in public?
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 5:08am

Re:
Idiot. On those that displayed parking badges, those badges contain not only personally identifiable information, but also that person's NI number. At least keep it hidden to only that ticket issuee.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 5:13am

Ridiculous claims of "url hacking" will soon, no doubt, be made by ill informed self proclaimed experts.
D�j� vu.

On a side note, when you have a strange feeling that this has never happened before - are you experiencing vuja de?
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 5:14am

Re:
No, that's called impossible!
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 5:24am

on par with most of what comes from the UK. never got their brains in gear before their mouths are in action!
[ link to this | view in thread ]
CSMcDonald (profile), 10 Apr 2013 @ 5:29am

Re: Re:
Are the parking badges displayed on the vehicle?
If so, all that information is already publicly viewable.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 5:54am

Re: Re: Re:
What, even that on the reverse?
[ link to this | view in thread ]
CSMcDonald (profile), 10 Apr 2013 @ 6:42am

Re: Re: Re: Re:
Can it be seen publicly by anybody who walks by and looks?
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2013 @ 7:05am

Re: Re: Re: Re: Re:
Not without contorting to strange and narrow angles, which from the images, it looks like the wardens did.
[ link to this | view in thread ]
Duke (profile), 10 Apr 2013 @ 7:13am

Legal threat "makes sense"
While the situation is rather silly, having read the actual legal threat is seems perfectly accurate (within UK law).

They start by pointing out that the photos were obtained in breach of the Computer Misuse Act, which is probably true. Under the generic unauthorised access offence there isn't really any requirement that the stuff be password protected etc., merely that it is accessed, without authorisation. So, as with the other cases mentioned above, there's a reasonable chance whoever obtained them committed a crime in doing so, and so they are being reported to the police. The law may be a bit silly, but the legal threat makes sense.

While Nutsville may not be committing any crimes (although I'm not sure), the police could be informed of their involvement as part of the above investigation, so nothing wrong there.

The stuff about injunctive relief in the High Court is a separate thing; that's about getting the content removed from the website (possibly through misuse of private information). Yes, the lawyers should have specified what their cause of action would have been, but it isn't rare for a situation to have both civil and criminal elements.

Treating it as a joke and making fun of the solicitors may be popular, but could come back to hurt them later.
[ link to this | view in thread ]
aidian, 10 Apr 2013 @ 7:19am

Use a URL, go to jail
Didn't we just lock up the guy who exposed AT&T's sloppy security vis-a-vis iPad owners for doing nothing more than visiting unadvertised URL's? Seems like exactly what this guy did. So at least here in the state's he'd likely be guilty of a federal offense. Which is total fu**ing insanity, but that's the law as it stands today.

Also, here in the U.S. if it's visible from somewhere public, you can shoot it and post it. UK is likely different, they've got some god-awful laws about that kind of stuff.
[ link to this | view in thread ]
G Thompson (profile), 10 Apr 2013 @ 11:22am

Re: Legal threat "makes sense"
Totally off topic (well maybe not after your last sentence) did you get a hug yesterday ? ;)

[Though what's with point 8? are your marketing/ethics rules changing???? ]
[ link to this | view in thread ]