The Information Commissioner’s Office (ICO) has found that the London Borough of Islington is liable for breaching data protection duties through their reported failure to keep 89,000 people’s personal data safe on an online parking ticketing database.
Information including sensitive health details, disabilities and financial details were reportedly not properly secured.
Islington Council uses a ‘Ticket Viewer’ system to allow members of the public to review CCTV images or videos of the parking offence so they may check any tickets issued, and it is this system that is at the centre of the breach.
Public discovery of the breach
Using the system, individuals can also send in supporting evidence like medical records to appeal issued tickets. The council also kept information received from the Traffic Enforcement Centre in the recovery of issued fines; for example, bankruptcies.
Unfortunately due to design faults, the system was not properly secured and reportedly put 89,000 people’s information at risk. A member of the public was using the service when they discovered the design flaw that allowed them to access other people’s ticketing information and other related data.
About the flaw
By manipulating the URL, an individual could look though information belonging to other parking offenders. According to the ICO, this was then disclosed to Islington Council who investigated the situation and found that “119 documents on the system” were accessed without authorisation “235 times from 39 unique IP addresses.”
Without a system in place to detect unauthorised access, 71 people were affected by the breaches.
Council criticised
ICO enforcement manager Sally Anne Poole criticised the council for putting so many people at risk:
“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that… Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”
Islington Council should have tested the system to make sure it was secure before opening it for public use. Even after releasing it, the council could have made systematic checks to ensure that its cybersecurity was in shape.
The council could not provide a reasonable explanation for the lack of cybersecurity implemented. Due to their failures, they breached data protection rules and the ICO therefore issued a fine of £70,000.
Ignorance and oversight is not a defence when it comes to data protection.
Public authorities remain in the data breach limelight
Things are not looking good for public authorities according to a recent study conducted by the ICO. The government survey found that many authorities were not ready for the new General Data Protection Regulation that will be implemented in May 2018.
The study found that over 15% of councils don’t provide any data protection training for staff that have access to personal data, and a third of councils don’t conduct privacy impact assessments to see how an individual could be harmed if a data breach occurred.
From May 2018 onwards, the GDPR requires that all local councils appoint a data protection officer to make sure the council is complying with the new data protection rules. Hopefully, the new changes backed by new and increased sanctions will see a massive surge in secure cybersecurity.