The Information Commissioners Office has just fined Islington Council £70,000 for failing to secure 89,000 people’s data on their parking ticket website. Islington Council internally developed a ‘ticket viewer’ website where ticketed motorists could see details of their contravention, such as pictures and videos. Where users submitted appeals including sensitive information, such as health issues, disabilities, and finances, these were uploaded onto the same system. After three years of operating a user discovered that this information could be accessed by manipulating the website’s URL.
This is known as web parameter tampering or URL manipulation, and should be protected by two mechanisms – validating inputs to check they’re in the expected range, and secondly by putting controls on the data repository to enable only authorised users to access it. Normally this would be picked up at design-time; OWASP, the recognised authority for web security (who every serious web developer would know of), publish a set of guidelines to avoid these basic security problems. If not discovered at design time, then these sorts of issues should be identified during testing, which should be routinely done for a public website, but even more so for a public authority handling personal data. In fact, the ICO report states that Islington Council’s IT security team had not tested it before launch or at any time subsequently. Simply beyond belief, and even more so for a public authority!
As a non-technical analogy, this would be akin to designing a cash machine where the user just types in their account number and can then withdraw their money from that account. It really is that level of poor design and testing.
This isn’t even the first time that this issue has occurred on a parking enforcement website. In 2013 UK Parking Control’s (UKPC) website had an almost identical flaw. In that case, by manipulating a URL on the website, you could view the pictures taken of any other motorist ticketed car.
What is quite clear is that the DVLA and the Information Commissioners Office need to take a much stronger stance with the parking industry. The DVLA is more than happy to sell data to parking companies, but it appears that there are no proactive actions taken to prevent issues such as these. For example, the DVLA could insist upon parking companies to have an industry standard penetration test on their public sites before being allowed access to their driver database. This sort of activity takes a few days of a specialist consultant’s time – a few thousand pounds at most.
It is simply not acceptable that personal data can be leaked onto the internet like this. I call on the DVLA and ICO to take action.