Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security Transportation United Kingdom

Number-Plate Cam Site Had No Password, Spills 8.6 Million Logs of UK Road Journeys (theregister.co.uk) 48

The Register reports that Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people. From the report: The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system -- which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network. Britain's Surveillance Camera Commissioner Tony Porter described the security lapse as "both astonishing and worrying," and demanded a full probe into the snafu. He told us: "As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident. I will focus on the comprehensive national standards that exist and look towards any emerging compliance issues or failure thereof."

The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle's journey, or series of journeys, from its number plate, right down to the minute with ease. A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera's location, direction, and unique identifying number. A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week, The Register understands. This number constantly grew as more and more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles were logged along with timestamps. The dashboard was taken offline within a few hours of The Register alerting officials.

This discussion has been archived. No new comments can be posted.

Number-Plate Cam Site Had No Password, Spills 8.6 Million Logs of UK Road Journeys

Comments Filter:
  • by nospam007 ( 722110 ) * on Tuesday April 28, 2020 @07:11PM (#60002436)

    Usually somebody has it all on an unsecured laptop and forgets in in the Underground.

  • Statutory liability. If you collect sensitive information, and you let it leak, you owe a per-datum fine. No need to show harm, no waiting for a class-action lawsuit (in the US) followed by a trivial penalty of a few years credit monitoring.

    If a fine of $100 per user's data had ben assessed on Equifax, they would be out of business, as they deserved.

    If the possibility of a business-breaking fine existed, businesses would be more careful about collecting and protecting data. Many of them would stop keeping data unnecessarily.

    And, of course, this is why it will never happen.

    • by Rosco P. Coltrane ( 209368 ) on Tuesday April 28, 2020 @07:35PM (#60002516)

      Statutory liability. If you collect sensitive information, and you let it leak, you owe a per-datum fine.

      I've got an even better one: I once worked for a large military supplier. One of our customers was the special forces of a country I shall not disclose.

      One day, one of the commanders of the special forces came to oversee the reception of very pricy products they had ordered from us. He was asking question after questions, making double and triple sure everything was working as advertised.

      After a day of that, I (politely) asked him: "Aren't you convinced that the products work? We've run the test 5 times, you saw everything. What gives?"

      "Tell you what" he replied, "I'm aware we're overpaying for the products. I'm okay with that, I don't sign the checks. But I'm responsible for what we purchase working perfectly, and if it doesn't, I get jail time. So we'll redo all the tests tomorrow, and we'll redo them again the day after if I feel it's needed, because I don't want to go to jail."

      Wow...

      That's what people putting together sensitive systems need to face: jail. Not puny fines. Real hard time in the slammer. Then they'll be extra-careful.

      • by markdavis ( 642305 ) on Tuesday April 28, 2020 @09:40PM (#60002832)

        >"I've got an even better one: I once worked for a large military supplier. [...] responsible for what we purchase working perfectly, and if it doesn't, I get jail time."

        I have an even better one than that:

        Stop spying on citizens in "free" countries. Stop collecting and storing the data in the first place. Data that is not collected cannot be abused, disclosed, hacked, stolen, leaked, aggregated, manipulated to frame someone, used to blackmail people, used to discredit people, used to profile and "socially engineer" people, used to foster and enforce ever more draconian laws, used to remove freedom and privacy, used to silence critics or suppress dissent.

        • 'Stop spying on citizens in "free" countries.'

          Hasn't the UK - like America and the rest of Europe - now given up all pretense of being a free country? Last I checked we were all living under dictatorships that had instituted brutally repressive prison states in order to combat an "Invisible Enemy".

          • On the other hand you are letting a whole infrastructure be built which a dictator would be gleeful to have, just waiting...waiting.

            Here's a hint from actual history: don't build it to begin with. Then it can't be abused.

          • by fenrif ( 991024 )

            Sure, no one wants to live in a police state. But hey... At least someone is finally thinking of the children/women/muslims/whatever is next.

            Finally a society of which Maude Flanders would be proud.

      • by AmiMoJo ( 196126 )

        Stuff like this shouldn't even be collected in the first place. I guarantee that whatever the council's justification is it's not adequate.

      • by tlhIngan ( 30335 ) <slashdot&worf,net> on Wednesday April 29, 2020 @01:32PM (#60004674)

        That's what people putting together sensitive systems need to face: jail. Not puny fines. Real hard time in the slammer. Then they'll be extra-careful.

        No, it'll just make software 100x as expensive. And kill open-source because no one will want to use Linux unless someone is willing ot step up and guarantee it.

        The space shuttle software needed to be reliable and safe. And it was some of the most audited code on the planet - NASA paid a lot per line of code (and there weren't that many of them). Not just for each line of code, but each modification came with tomes of paperwork

        It would however generate a lot of jobs - people who will sit through a month of meetings just to do a one line change, and people who would code review the change afterwards. The programmer in between doesn't really matter since it's just a line of code being changed and they're just getting which line is being changed.

        Then people wonder why it costs $500 to buy a hammer. or $30,000 for a toilet.

    • by xxdelxx ( 551872 )
      Unfortunately for that corrective mechanism this is a British local authority. They have a long and distinguished tradition of epic levels of ineptitude matched only by their unparalleled ability to spend vast amounts of money with no discernible return. Their districts have been so thoroughly gerrymandered over the decades that they weigh their majorities come election time - who needs to count?

      Their well practised response to these revelations is <shrug>. If they are feeling truly contrite they
    • by guruevi ( 827432 )

      Governments are immune from prosecution. The Queen owns the land and whatever is on it. What you propose would result in nobody wanting to maintain personal records, so the only one doing it would be inept governments.

    • by ruddk ( 5153113 )

      Now with Brexit, I guess the EU GDPR rules does not apply for them now. Otherwise they could receive a 20 million euros fine.

      "There are two tiers of fines, which will be applied depending on whether the controller (the company that is using the data) or the processor (the vendor that is processing the data) has committed a violation in the past. And of course, the nature of the violation itself. But don’t be lax: even the lower threshold or tier will prove to be an expensive proposition; it calls for

      • by Kjella ( 173770 )

        Monetary punishments have very little effect on public services because they take it out on their consitutents as higher taxes or less services. If you fine the city council it's as if you set 20 million euros of tax revenue on fire, there's no investors losing money or sales lost. What happens is that your roads don't get paved, your public transport is cut and your schools are underfunded because the budget must be balanced. And if you raise hell about that the money must still come from your own pockets

      • by Anonymous Coward

        Sigh.
        GDPR was and is a British law passed by the UK parliament, and remains in force unless specifically repealed/replaced. Leaving the EU does not change *British* law.

    • If you collect sensitive information

      Define sensitive information. All I see is pseudo-anonymous data on driving based on a record of information that is legally required to be public for all (license plates) in a non-private setting (public roads).

      This is *nothing at all* like the Equifax leak, which actually had a serious and direct impact on people.

    • If a fine of $100 per user's data had ben assessed on Equifax, they would be out of business, as they deserved.

      Except it's Sheffield council. If they go out of business then all of the residents (and particularly the poorer ones) will suffer.

  • In the old days, people would put together poorly secured servers, the servers would get abused, the data would get stolen by bad guys, and the admins would take raked over the coal for the lapse of security This is so 20th century....

    Nowadays, smart admins put together instances, run them in the cloud, the cloud provider fucks up, and then they can blame the cloud provider.

  • Come on devs/netops guys at ANPR, step up your game. If you're that bad at operational security *please* hire or contract out to someone who is competent. You're making everyone else look bad.
    • this only shows politicians aren't competent to manage tech, including tech that tracks people. I say take away all their tech. No cameras, no computers. They can hunt crime the old fashioned way, collect fees and issue licenses like its 1950, pretty much leave most of us alone other than those fees.

      • Agreed, but a wholly separate argument. England seems to be exercising the same sort of intrusive government policing that was foreshadowed by Huxley's book 1984. Nonetheless, there is no excuse for bad OpSec. It's just pure negligence and/or incompetence.
        • My previous employer would get hired by local municipal governments and police when things went terribly wrong with their systems. In other words, no operators nor security nor IT in the building normally until or except when something went wrong.

          • Then they should have brought in your previous employer at the start of the project. But they didn't. I believe we are both on the same page.
        • by ratbag ( 65209 )

          Orwell's, surely?

    • I must imagine it's quite challenging to hire competent staff at a reasonable price, when your "product" they'll be working on is literally the implementation of totalitarianism.

  • set the speed limit to 200 MPH

  • I missed this episode of Fahrenheit 451
  • That old chestnut. No one will ever find it, right?

  • Would this be covered by the GDPR? If so.....*whew* for the company the responsible entity!
    • No because your license plate is not private information under law, and neither is your movement on public roads.

      • Re: (Score:3, Informative)

        by Qattus ( 6812704 )
        Actually, license plate numbers are specifically mentioned as an example of personal data. https://gdpr.eu/eu-gdpr-person... [gdpr.eu]
        • Actually, license plate numbers are specifically mentioned as an example of personal data.

          https://gdpr.eu/eu-gdpr-person... [gdpr.eu]

          That in itself doesn't make it a breach of GDPR, the location of any given license plate is not private. It only identifies an owner of a vehicle (indirectly) not a person. And if GDPR were applicable I guess various governments would have to shutdown their license plate lookup information, which they haven't.

      • by Jahta ( 1141213 )

        No because your license plate is not private information under law, and neither is your movement on public roads.

        Not so. GDPR defines personal data [gdpr.eu] as "any information relating to an identified or identifiable natural person". If you are holding any kind of personal data you must (a) have a valid reason for doing so and (b) secure the data against any access that is not directly related to your valid reason.

        If you don't properly secure the data you commit a personal data breach [gdpr.eu] defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to

        • Indeed. Unfortunately just knowing a license plate or its location doesn't qualify and many countries in EU run open databases of license plate information precisely so you can lookup information about vehicles. All of that is held for a valid reason, and all of that is secure as public information needs to be.

          I mean let's face it there are people who will get paid way more than us to argue this to death in court. But it's not a foregone conclusion.

  • Seems the issue is the outsourced contractors screwed it up, so the government agency that put it in looks like idiots for either not setting it up right, or hiring incompetent contractors. SCC was the problem. SCC didn't ensure it was done right. SCC ordered it. SCC paid for it. SCC should have built a competent IT department and insourced the work to SCC, so that SCC would hold the responsibility, as well as the accountability. You can outsource the work, but not the accountability. 3M or Neology s
    • by Anonymous Coward

      SCC probably had to hire "inside IR35" contractors to do the work. Any contractor worth their salt would walk away from "inside IR35" work because it's really a code word for "zero rights employment", and go get work in the private sector. Thus, SCC could only hire idiots. And they delivered, exactly as idiots do.

      SCC should of course be hauled over the coals for this. When they do, I sincerely hope they point the finger at HMRC for the utter shambles that is IR35.

  • Come on, you know they've always wanted to use this data for things we wouldn't approve of. It's a "leak", not a leak.

news: gotcha

Working...