The parking industry continues the demonstrate inability to protect personal data

The Information Commissioners Office has just fined Islington Council £70,000 for failing to secure 89,000 people’s data on their parking ticket website. Islington Council internally developed a ‘ticket viewer’ website where ticketed motorists could see details of their contravention, such as pictures and videos. Where users submitted appeals including sensitive information, such as health issues, disabilities, and finances, these were uploaded onto the same system. After three years of operating a user discovered that this information could be accessed by manipulating the website’s URL.

This is known as web parameter tampering or URL manipulation, and should be protected by two mechanisms – validating inputs to check they’re in the expected range, and secondly by putting controls on the data repository to enable only authorised users to access it. Normally this would be picked up at design-time; OWASP, the recognised authority for web security (who every serious web developer would know of), publish a set of guidelines to avoid these basic security problems. If not discovered at design time, then these sorts of issues should be identified during testing, which should be routinely done for a public website, but even more so for a public authority handling personal data. In fact, the ICO report states that Islington Council’s IT security team had not tested it before launch or at any time subsequently. Simply beyond belief, and even more so for a public authority!

As a non-technical analogy, this would be akin to designing a cash machine where the user just types in their account number and can then withdraw their money from that account. It really is that level of poor design and testing.

This isn’t even the first time that this issue has occurred on a parking enforcement website. In 2013 UK Parking Control’s (UKPC) website had an almost identical flaw. In that case, by manipulating a URL on the website, you could view the pictures taken of any other motorist ticketed car.

What is quite clear is that the DVLA and the Information Commissioners Office need to take a much stronger stance with the parking industry. The DVLA is more than happy to sell data to parking companies, but it appears that there are no proactive actions taken to prevent issues such as these. For example, the DVLA could insist upon parking companies to have an industry standard penetration test on their public sites before being allowed access to their driver database. This sort of activity takes a few days of a specialist consultant’s time – a few thousand pounds at most.

It is simply not acceptable that personal data can be leaked onto the internet like this. I call on the DVLA and ICO to take action.

1 Comment on “The parking industry continues the demonstrate inability to protect personal data

  1. Surely the new GDRP laws will have a major effect on these companies. THe current DPA is being replaced nexT may. Consent will be a big thing, data can only be released with consent, there may be exceptions, and opt out is not an option. This makes me think, that DVLA cannot just give out details without consent, I am of a mind to write to them and make it clear my details must not be given to PPC,S