UK Information Commissioner fines a North London council for security flaw which exposed thousands of people’s personal information

August 20, 2017 |

The UK Information Commissioner (“ICO”) continues to set a brisk pace in taking action against data breaches, this time imposing a £70,000 fine on the Islington Council for failing to keep personal information secure on its parking ticket system website.  It highlights that breaches of privacy laws are as much about ensuring that personal information is secure from potential breach as responding to a breach itself.  The infraction can be just as costly.

In the case of Islington council the ICO found that its website which allowed people to see an image of their parking offence had design faults which potentially, and on 235 occasions relating to 71 people did, exposed other people’s personal information being accessed.  Some of the data that could have been accessed contained medical details, by definition sensitive.

There are significant lessons for Australian entities.  Dedicated websites and Portals are becoming common means by which people can access their personal information to amend records or just review.  For Governments and organisations it is an effective, cost effective and immediate way of conducting business or providing services.  But with that ease and effectiveness comes obligations to maintain proper security and ensure there are no design flaws in the cyber structure.  That seems obvious but flaws discovered after the fact are common but entirely avoidable.  A big part of the problem is the failure to build in privacy and security safeguards while developing a system.  The pressure to bring a program or service on line means that privacy becomes an after thought.  In Australia, with a poor privacy culture courtesy of traditionally lax regulation and enforcement, this problem is common to the point of chronic.

The ICO media release relevantly provides:

Islington Council failed to keep up to 89,000 people’s information secure on its parking ticket system website.

That was the conclusion of an Information Commissioner’s Office (ICO) investigation which has resulted in a £70,000 fine for the London borough.

Islington Council’s Ticket Viewer system allows people to see a CCTV image or video of their alleged parking offence. It was found to have design faults meaning the personal data of up to 89,000 people was at risk of being accessed by others. That data included a small amount of sensitive personal information such as medical details relating to appeals.

The problem came to light in October 2015 when Islington Council was informed by a member of the public using the system that folders containing personal data could be accessed by manipulating the URL.

It was discovered that there had been unauthorised access to 119 documents on the system 235 times from 36 unique IP addresses, affecting 71 people.

Sally Anne Poole, ICO Enforcement Manager, said:

“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that.

“Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”

The ICO found that the council should have tested the system both prior to going live and regularly after that.

In failing to do so, the London borough failed to take the appropriate technical measures to keep personal information secure. This was a breach of the Data Protection Act.

The monetary penalty notice relevantly states:

9.  Islington’s parking inspectors issue tickets for parking contraventions on the public highway  or for traffic

10.  In 2012, Islington’s internal application team developed ‘TicketViewer’ on behalf of Islington Parking Services (“the application”). It was hosted separately to Islington’s other systems

11.  A user (“user”)  could log onto the  application  by entering the vehicle registration number (“VRN”) and  a parking  ticket  number  to see a CCTV image or video of their alleged contravention  or offence.

  1. If a user still wanted to appeal a parking ticket, they could send supporting evidence to Islington Parking  Services  by email or

 

  1. This included their name and address together with details of any mitigating circumstances such as health issues, disabilities and financial

 

  1. Islington also received  sensitive  information  about  users from  the ‘Traffic Enforcement Centre’ in relation to its recovery of unpaid fines in the  County

 

  1. The back office processing centre scanned all of this information (including the parking ticket and the CCTV image or video that showed the VRN) onto the user’s ticket attachment  

 

  1. Between 2012 and 25 October 2015, Islington issued in the region of 825,000 parking tickets and received  270,000  appeals from its

 

  1. On 25 October 2015, Islington was informed by a user that the ticket attachment folders could be accessed by manipulating the URL in the user’s

 

18.At that time, the ticket attachment folders contained personal data relating to approximately 89,000 users, including sensitive personal data  and financial details

19.  On 16 and 25 October 2015, external testing discovered that a total of 119 documents had been accessed a total of 235 times from 36 unique IP addresses affecting 71

20.  The Commissioner has made the above findings of fact on the balance of probabilities.

21.  The Commissioner has considered whether those facts constitute a contravention of the DPA by Islington and, if so, whether  the conditions of section SSA DPA are satisfied

…..

23.  Islington failed to take appropriate technical measures against the unauthorised and unlawful processing of personal data in contravention of the seventh data protection principle at Part I of Schedule 1 to the DPA.

24. The Commissioner finds that the contravention was as follows. Islington did not have in place appropriate technical measures for ensuring so far as possible that such an incident would not occur, e. for ensuring that the personal data  held in the  ticket attachment folders were safeguarded against unauthorised or unlawful access.

25.  In particular:

(a). The ‘Folder Browsing’ functionality within the web server was misconfigured; and

(b). The application had design faults.

………….

31.  On 25 October 2015, the ticket attachment folders held personal data relating to approximately 89,000  users, including  sensitive  personal data and financial details. The application therefore required adequate security  measures to protect the personal d

32.  This is all the more so when sensitive personal data and financial details are concerned – in particular, as regards the users who expected that it would be held securely. This heightens the need for robust technical measures to safeguard against unauthorised or unlawful access. For no good reason, Islington appears to have overlooked the need to ensure that it had robust measures in place despite having the financial and staffing resources

33.  The Commissioner therefore considers that the contravention was of a kind likely to cause distress to the  users if they knew that their personal data had been accessed by unauthorised

34 .   The Commissioner also considers that such distress was likely to be substantial, having regard to the number of users and the nature of the data that was held in  the  ticket attachment folders.

35.  Further, the users would be distressed by justifiable concerns that their information has been further disseminated even if those concerns  do not  actually

36.  If this information has been misused by those who had access to  it,  or if it was in fact disclosed to hostile third parties, then the contravention would cause further  distress to  the users and damage, such as exposing them to possible fraud. 

 

 

 

One Response to “UK Information Commissioner fines a North London council for security flaw which exposed thousands of people’s personal information”

  1. UK Information Commissioner fines a North London council for security flaw which exposed thousands of people’s personal information | Australian Law Blogs

    […] UK Information Commissioner fines a North London council for security flaw which exposed thousands o… […]

Leave a Reply