Data of 10,000 drivers leaked online after PaymyPCN.net database security gaff
A private database of parking ticket details for almost 10,000 motorists has been published online.
The firm reportedly responsible for the gaff is PaymyPCN.net, which collects driver penalty charges and has a direct link to the Driver and Vehicle Licensing Agency (DVLA) database.
The company allows drivers to pay for parking fines and appeal parking them through its website, and describes itself as a PCI DSS compliant payment processor dedicated to safeguarding motorists’ privacy with data encryption.
Sky News reported that PaymyPCN.net accidentally sent the data, meant only for use by police and licensed parking firms, to one of its customers who then published it on the Internet.
The content included customer names and addresses, emails regarding penalty charge appeals, and photographs of motorists and their vehicles taken by enforcement officers.
Sol Cates, chief security officer at data security firm Vormetric, said the incident highlights companies’ security weakness at database level.
He said: “Though the spectrum of threats facing the data and information we hold dear continues to evolve and multiply, and as new technologies such as cloud and big data increasingly expose businesses to other modes of attack, it seems that too many are still unprepared for attacks at the database level. Indeed, this breach at PaymyPCN.net demonstrates that even with basic IT security measures in place, perimeters are still permeable.
“In this case, although the information was encrypted, just as important is the control of access to the encrypted information – and this is where PaymyPCN.net appears to have failed.”
Encryption without access controls is of limited value – protecting only against physical loss or theft of a device with sensitive data. Unfortunately, the compromised data, which included drivers’ names, emails, photographs and addresses, is the type that can be easily used by hackers looking to craft social engineering scams later down the line.
Cates added: “Failure to understand every mode of access or every potential exposure point in the business network is simply a breach waiting to happen – in this case, the business has learned the hard way. Protecting data no matter where it is stored and to whom it is transferred requires a combination of technologies to combat sophisticated threats.
“Deploying encryption and access control for data at rest, Database Activity Monitoring (DAM) and Security Information and Event Management (SIEM) to gather together information on what is happening to data means that organisations can identify breaches as and when they occur, as well as spot advanced threats, compromised accounts and malicious insiders before it is too late.”