Have a read here

https://nakedsecurity.sophos.com/2015/02/24/10000-motorists-names-and-addresses-published-online-by-parking-fine-company/

That's bad enough but what was michael Green thinking of posting it on twitter?

Pass! more tweets?

 

The company, which allows drivers to both appeal and pay parking fines, describes itself as a PCI DSS compliant payment processor that uses encryption to safeguard drivers' privacy and transaction details.

 

All of that appears to be for almost nothing though - Sky News reports how the database entered the public domain after an unrestricted link to it was sent to a motorist by mistake.

 

The motorist then forwarded it to lawyer Michael Green, a consumer activist running the ChallengeTheFine.com website, who published it on Twitter (now deleted).

 

Contained within the database were 9721 records, including names and addresses of drivers provided by the Driver and Vehicle Licensing Agency (DVLA).

 

Photographs of motorists and their vehicles taken by enforcement officers were also available, as were emails of appeals against parking tickets.

 

 

https://nakedsecurity.sophos.com/

I can't actually see what harm it's done anyone ?

I can't actually see what harm it's done anyone ?

Well for starters they have breached the terms of their kadoe contract numerous times.

Small section of the kadoe contract between DVLA and customer(PPC);

(Apologies for how it is formatted!).

SCHEDULE 2 MINIMUM DATA SECURITY REQUIREMENTS 1. 1.1. a) b) c) d) e) f) g) h) Data Security Requirements The minimum security requirements, which are required by clause D2, are as follows: Data, including back-up data, must be retained in secure premises and locked away; Data, including back-up data, must be protected from unauthorised access, release or loss; A User ID and password must be required to enter all databases on which the Data is stored; A unique User ID and password must be allocated to each person with access to the Data or the KADOE Service; User IDs must not be shared between Staff; Access to the Data must be minimised so that only where necessary are individuals given the following levels of access:  ability to view material from single identifiable records  ability to view material from many identifiable records  functional access, including: searching, amendment, deletion, printing, downloading or transferring information; An electronic trail relating to any activity involving the Data must be retained, identifying the User ID and individual involved in each activity; The Data must not be accessed from, copied onto or stored on Removable Media

D6. Retention of Data and Evidence D6.1. In accordance with the DPA, the Customer shall retain each item of Data only for as long as is necessary with reference to the reasonable cause for which it was shared

I know all that, but what harm has it done ?

I know all that, but what harm has it done ?

Who knows? What kind of people had free access to the RK data?

Allow free access to the DVLA database for everyone and see what will happen....

Same thing, smaller scale.