You are here

8.6M PII leaked from UK city's CCTV DB, Neology denies responsibility

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

An English city somehow forgot to password-protect a huge PII trove. And this isn’t just any old database—it’s what the Brits call automatic number-plate recognition (ANPR), which reads car license plates and can follow people’s journeys across the city.

Yes, the surveillance state appears to have a failure of DevSecOps. Who’d have thunk it?

This sort of thing has cropped up before, and it has always been due to human error. In this week’s Security Blogwatch, we stay at home.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: stop-mo.

[ Get up to speed on new privacy laws with this Webcast: California’s own GDPR? It’s not alone. Plus: Learn about data-centric protection with TechBeacon's guide. ]

WWHALD?

What ho, peasants? Gareth Corfield reports—Democratising mass surveillance, one snafu at a time:

In a blunder described as "astonishing and worrying," Sheffield City Council's … ANPR system exposed to the internet 8.6 million records of road journeys made by thousands of people. … No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles … travel through Sheffield's road network.

The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle's journey … right down to the minute. … A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera's location, direction, and unique identifying number.

A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week. … One camera alone recorded … 21,000 [vehicles] on Monday, February 24. … The exposed dashboard was in active use … as recently as last Wednesday (22nd April).

If you're wondering who supplied this technology, every page … has 3M Neology at the top. … Lawyers for ANPR dashboard maker Neology [insisted] "Our client has not been responsible for the management of the system."

Eugene Walker, Sheffield City Council's executive director of resources, together with Assistant Chief Constable David Hartley of South Yorkshire Police, told us: “We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. … As soon as this was brought to our attention we took action to deal with the immediate risk and ensure the information was no longer viewable externally. … We will continue to investigate how this happened and do everything we can to ensure it will not happen again.”

Don’t spill your Yorkshire Tea. Aunty Beeb adds—Drivers' details 'leaked' online:

Big Brother Watch, a privacy campaign group, said: "Councils shouldn't be conducting this mass scale snooping at all, let alone leaking millions of sensitive records on the internet. The incompetent management of this … system means the council will have no idea who has had access to the data, when, how, why or what they might do with it. Detailed journey records … poses a particular risk in stalking and harassment contexts."

Tony Porter, the surveillance camera commissioner, said: "The report of this alleged data breach is both astonishing and worrying." … The Information Commissioner's Office … said it would "assess the information provided."

Last year it was found that Sheffield Council accidentally sent the contact details of hundreds of people … in an email.

What’s going on over there? Hugo Griffiths—UK’s ANPR camera network exposed:

In 2018 alone, automatic number plate recognition (ANPR) cameras carried out 10.1 billion number plate scans across the length and breadth of the country, generating 203 million ‘hits’ on vehicles of interest in the process. … While the police use ANPR cameras to track and trace criminals, local councils … are adopting the technology for traffic and parking infractions, issuing 6.96 million penalty tickets over the past five years, generating fines equivalent to around [$600] million.

Privacy campaigners are concerned that the widespread use of ANPR technology amounts to the mass surveillance of innocent citizens. Silkie Carlo, director of privacy campaign group Big Brother Watch, said our figures … “reveal the astonishing scale of secretive ANPR surveillance in the UK”. Carlo added “there is no clear legal basis” for the UK’s ANPR network.”

Tony Porter, the Government’s surveillance camera commissioner, warned that the UK’s ANPR network operates with “limited democratic oversight” and the system “must surely be one of the largest data gatherers of its citizens in the world” – although he recognised the vital crime-fighting role the camera network plays. … The Local Government Association said councils “make no apologies for enforcing the law” with ANPR cameras, and that surplus revenue generated from fines is spent on transport improvements.

Yeah, I bet it is. Alexander Martin keeps up with his alma mater:

Imagine you lived in a country where every car journey was monitored and logged by an automated system. Now imagine you lived in a city where the council left these logs openly accessible to the world.

Welcome to Sheffield.

Let’s cut to the chase. UKSmartypants calls it an “Olympic Grade **** up”:

The question then being, have you sacked the IT dept employee who created his gigantic and illegal release of data, and how many of your other systems are so badly set up?

Leaving an SQL database exposed to an open Forwarded Port, complete with a handy User GUI [is] a pretty basic mistake. … Whoever did that needs to be sent on a refresher course. And have their **** kicked round the office.

What’s to stop them making the same mistake with, say, people’s financial details?

How does this even happen? Here’s HowObvious:

Its usually caused by network changes such as a firewall misconfiguration or incorrect switch routing followed up by no testing. But this also means their networks and the system have not been setup correctly into zones [which] would make this not possible.

The council almost certainly has a tiny budget for security if there is any at all and they do not have any system for detecting/alerting to a publicly facing system like this. Even where legally required in Finance there is a serious lack of competence in security.

Financial institutions are required to have security teams and are regularly audited to prove that their systems are being secured to an appropriate degree. The council has no such requirements, they are required to keep PII secure as part of GDPR but there are no security requirements generally and no checks to validate this.

Is this connected with the UK’s right-wing government? No, says LucreLout:

ANPR was rolled out by the last Labour government. … We've already changed government from left to centre-coalition to centre-right and none of them have wanted to address ANPR or CCTV. Mostly because millennials and zombies don't want privacy.

Meh—privacy, schmivacy. Bjorn Toft Madsen modestly proposes you should think like him:

Since I have nothing to hide, I have removed all curtains in my house and all locks on the bathroom doors. I invite total transparency because I am innocent.

That's why I tell people about all my visits to the doctor, when I went and why, and a have a ticker in my window displaying my bank balance to the world. When I travel around, my full address is emblazoned upon my jacket, to evidence yet again how innocent and pure I am.

I welcome our overlords' investigations. … Since I have nothing to hide, I have nothing to fear.

It’s at times like this we often hear from people suggesting statutory fines for leaking data. But Rosco P. Coltrane suggests something harsher:

I once worked for a large military supplier. One of our customers was the special forces of a country I shall not disclose.

One of the commanders of the special forces came to oversee the reception of very pricy products they had ordered from us. He was …  making double and triple sure everything was working as advertised.

I (politely) asked him: "Aren't you convinced that the products work? We've run the test 5 times. … What gives?"

"I'm responsible for what we purchase working perfectly, and if it doesn't, I get jail time. So we'll redo all the tests tomorrow, and we'll redo them again the day after if I feel it's needed, because I don't want to go to jail."

That's what people putting together sensitive systems need to face: jail. Not puny fines. Real hard time in the slammer. Then they'll be extra-careful.

Meanwhile, confusedpurple agrees. And feels some déjà vu:

And once again the utter morons in charge will just go, "Whoops. Our bad," and get away with it. People should be facing prison sentences.

The moral of the story?

Test, test, test: Red team, automate regression tests, use strict change controls. And if you really must do mass surveillance, make sure it’s well protected.

[ Get on top of access with TechBeacon's guide to identity governance. Plus: Learn how to secure and manage cloud-based Linux resources with Active Directory in this Webinar. ]

And finally

Feeling hungry?

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: Peter Griffin (cc:0)

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]