Privacy Concerns? Some Personal Data in the UK Was Not Even Password-Protected
There is no shortage of news about hacks and cybersecurity flaws, which may not come as a surprise. Yet, there are curious ones that catch the eye.
In this piece, we take a look at a recent story about a blatant vulnerability in a CCTV system exposing 8.6 million records and try to find an upside in today’s messy situation with privacy.
British CCTV Data Exposed
On April 28th, The Register put out an article about a security mishap on the part of an automatic number-plate recognition system (ANPR) run by the City Council of Sheffield, UK. It turned out that the system’s internal management dashboard wasn’t protected even by a password and could be accessed by entering its IP address in a browser.
As a result, 8.6 million records were exposed, potentially allowing anyone to precisely deduct journeys of thousands of people down to a minute. Luckily, the officials said that there’s no evidence that the data have been exploited.
“We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach,” Sheffield officials told The Register.
The flawed dashboard was reportedly shut down shortly after The Register notified local authorities.
This case is concerning because of several reasons. First of all, it should have taken quite an astonishing amount of confidence to leave a municipal CCTV dashboard just laying in the open. It seems that everything is fine, but not knowing about bad things happening isn’t the same as knowing they didn’t happen. Aside from spying on people, the vulnerability may have allowed an adversary to change important parameters withing the system: rename cameras, edit their assigned location, etc. Moreover, the situation raises the question of how much more freely accessible information of this sort is still out there.
On the other hand, there’s the problem of balance between keeping people’s privacy and making everybody observe the law.
“ANPR use must be proportionate to the problem it’s trying to address – it’s not supposed to be a tool of mass surveillance. Both the council and police have a responsibility to ensure their use is proportionate and subject to a data protection impact assessment,” Privacy International’s Edin Omanovic told The Register, “They must both now explain how exactly they are using this system, how their use is consistent with data protection rules, how it came to be that this data was exposed, and what changes they’ve made to ensure it never happens again.”
In this particular case, one of the surveillance system functions was to automatically detect vehicles entering the city center to charge a fee from the owners. The measure is meant to encourage people to reduce car traffic in the area and combat pollution. Sounds harmless, but ANPR is still a serious surveillance tool, which is easy to mishandle.
Given the sheer amount of CCTV systems, it’s hard to believe that there aren’t more similar cases yet to be revealed. Undoubtedly, it is concerning to suggest that a number of video control systems in cities across the world are this vulnerable. But there’s another side to this.
There were no malicious hackers involved in this, no unsavory political powers exploiting tech to harm opponents, and no critical flow in technology left unnoticed. A pretty low bar, but still. From what it looks like, this is nothing but an eye-opening example of human negligence that begs to be learned from. This story wouldn’t have happened, had there been a simple authorization check. The very idea of personal data lying there up for grabs is equally amusing and disturbing, especially in the light of privacy concerns people have to face these days.
On top of that, this case offers a different look at a more technologically advanced future. Eventually, more people will learn to treat technologies responsibly. There will be fewer and fewer ludicrous cases of government databases not being protected, that’s for sure. Even assuming that there are more examples of such negligence worldwide, the problem itself is more than solvable with education and supervision.
With the growing need for data protection, the cybersecurity industry is progressing and is largely expected to keep growing. A larger market with more competition will bring more effective security solutions for both enterprises and the general public, making sensitive data less vulnerable and privacy more accessible to a layperson.
Subscribe to our Newsletter<
- UK, U.S., and Canada Accuse Russia of Hacking Attacks to Steal Secret Research on Covid-19 Vaccine
- Data Brokers: How Law Enforcement Rely on Inaccurate Data to Supplement Investigations
- Messenger App Steals User Data and Hacks Their Devices, ESET Research
- UK Supplies Spyware and Telecoms Interception Devices to Countries With Repressive Regimes
- Hacker Group Targeting Fintech Companies and Personal Data Has Been Under Radar For Years, NOD32 Developer Finds
- Stalkerware Usage in on the Rise as Domestic Violence Rates Surge During Lockdown
- Former Yahoo! Engineer Who Hacked 6,000 Email Accounts Looking for Sexually Explicit Media Avoids Jail
- Secure Identity Expert Explains How Cryptography Gives Us Power Over Personal Data