A third-party contractor running a database without password protection exposed more than 500,000 records related to vehicle seizures by the Irish National Police. Security researcher Jeremiah Fowler found various records dating back to 2017 including scanned identity documents, insurance investigation inquiries, certificates of vehicle registration, and other potentially sensitive data. Incident summary reports were also among the documents exposed. These included names and details of drivers, witnesses, and multiple Garda officers. Fowler's investigation revealed "Approximately 2 to 5 documents related to each individual case" exposed on the database, an insight he extrapolated to predict around 150,000 vehicle owners being affected by the incident. The vehicle seizures were carried out by the Garda, but the database is entirely owned and operated by an unnamed, Limerick-based contractor, which was reportedly highly responsive to reports and remediated the issue promptly. "Under An Garda Síochána's contract with individual towing companies, there are clear obligations on individual towing companies to protect any information supplied to them by An Garda Síochána including personal data," the spokesperson told the publication. "This obligation also extends to situations where individual towing companies provide this information to a third party for storage purposes." During the disclosure process, Fowler told The Register that he wasn't privy to whether there was evidence to suggest malicious actors had accessed the database or exfiltrated data. He believes the access to the public cloud storage repository could have been set to "Public" in error, since access needed to be open to multiple organizations, including the police and towing and storage companies. "These documents are needed for the towing and storage companies and the police to have access at any time, and this could have been where the mistake occurred and public access was opened," he said. The latest revelation follows a long line of stories related to various police forces in the UK all reporting data incidents in recent months. It all started with the Police Service of Northern Ireland posting a spreadsheet full of names and locations of its serving officers back in August, as well as civilian staff members. The incident occurred due to the PSNI mistakenly posting online a response to a request made under the Freedom of Information Act 2000 with too much information. Speaking at the time, the Chair of the Police Federation for Northern Ireland, Liam Kelly, said that if home addresses had been included in the leak, the PSNI would have faced "a potentially calamitous situation." Days later, Cumbria Constabulary became the second police force in the country to disclose officers' personal information. The force confirmed in a statement that human error was to blame when the document was uploaded to its website in March. Again, just days later in what was a wild fortnight for police data leaks, Norfolk and Suffolk police forces confirmed they had leaked raw crime report data in FoI responses. London's Met Police followed suit later in August, disclosing that a third-party breach exposed officers' names, photos, salaries, and more. Greater Manchester Police also announced in September that a third-party supplier of ID badges had been attacked with ransomware, which then led to theft of data relating to the names and photos of its officers.
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000