Irish National Police Records of Seized Vehicles Exposed in 3rd Party Contractor Data Breach
p
vpnMentor contains reviews that are written by our community reviewers These take into consideration the reviewers independent and professional examination of the productsservices pp
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacyrelated stories Today our team of hundreds of cybersecurity researchers writers and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC which also owns the following products ExpressVPN CyberGhost ZenMate Private Internet Access and Intego which may be reviewed on this website pp
vpnMentor contains reviews that follow the strict reviewing standards including ethical standards that we have adopted Such standards require that each review will take into consideration the independent honest and professional examination of the reviewer That being said we may earn a commission when a user completes an action using our links at no additional cost to them On listicle pages we rank vendors based on a system that prioritizes the reviewers examination of each service but also considers feedback received from our readers and our commercial agreements with providers pp
The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards Such standards ensure that each review prioritizes the independent professional and honest examination of the reviewer and takes into account the technical capabilities and qualities of the product together with its commercial value for users The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website ppCybersecurity Researcher Jeremiah Fowler discovered and reported to vpnMentor about a nonpassword protected database that contained over 500k records containing identification documents and other potentially sensitive information The documents appear to be associated with the Irish National Police Database of automobile seizures and the private towing and storage contractorsppThe database contained records from numerous private towing and storage companies acting as private contractors on behalf of Garda Síochána also known as the Irish national police service The records included notices of automobile seizure as well as destruction notices release documents scanned identification documents insurance investigation inquiries certificates of vehicle registration and other documentation relevant to the detention of a vehicle Additionally there were spreadsheets and monthly reports that included vehicle and registration information names of vehicle owners contractor information and other potentially sensitive data The total number of documents was 521043 with a total size of 2718 GBppUnder Irish law when a vehicle is detained the registered owner must present several documents including identification insurance documentation receipts for taxes and the payment for recoverystorage charges Based on what I saw in the database it is estimated that there are approximately 2 to 5 documents related to each individual case Considering the half a million records contained in the database this means that an average of 150000 vehicle owners could be potentially affected by the breach I couldnt find any publicly available official information regarding the total number of vehicles seized per year but an article from the Irish Examiner from 2020 claimed that approximately 2500 vehicles are detained each month equating to 30000 per year Considering the records I saw spanned multiple years going as far back as 2017 these numbers are consistent with our previous estimation of the number of people potentially affected by the breachppInitially I couldnt determine exactly who owned the database because of the number of towing and storage companies listed in the documents The only common denominator in all of the documents was the Garda Síochána so I promptly sent a responsible disclosure notice directly to them hoping they would take action to secure the exposure The database was restricted later that day and although the records all mentioned the Garda it appears they did not own or manage the database and it belonged to a private technology contractor based in Limerick Ireland The technology contractor acted quickly and professionally they reached out to me to confirm that the records were secure and to ensure that there was no malicious intent in my discovery and disclosure During the call we went over the timeline of my discovery to assist in their forensic audit and assess who else may have accessed the exposed records It appears that the Garda Síochána outsources the technology management towing and storage to private contractors Although the records indicate they are officially related to Gardas seizure and storage of vehicles it is important to note that the Garda Síochána was not directly responsible for the misconfigured cloud storage repository that resulted in the data breachppIn Ireland Section 41 S41 of the Road Traffic Act 1994 stipulates that the Garda Síochána has the authority to seize and retain a vehicle for certain reasons such as ensuring road safety law enforcement and compliance with road traffic regulations The tasks of seizing towing and storing these vehicles are carried out by private towing companies who are authorized by the Garda In 2022 the Garda published a document online that lists 36 private towing companies Owners of the vehicles are required to pay a 125 fine plus 35 for every 24 hours the car was kept in storageppAccording to a report in the Irish Examiner in 2020 an internal audit found that Garda Síochána loses a massive amount of money each year due to automobile owners not paying to recover their seized vehicles In 2018 alone the Garda Síochána spent an estimated 104m on towing and storage of seized vehicles while payments recovered from the car owners was just over 2m The report estimated losses at 20 million between 2016 and 2018 with the trend suggesting that losses will continue to increase each year I saw numerous waivers of ownership documents where citizens give up their property to the police when they cant pay the fines and storage fees or they no longer want their vehicle The database also contained numerous Freedom of Information Act request documents that identified other expenses or budget detailsppVehicles can be detained under S41 of the Irish Road Traffic Act 1994 for various reasons for instance ifppThe Garda can dispose of a vehicle that has been detained removed or held in storage if it has not been claimed within 21 days or if the fines and fees have not been paid If the vehicle owner disagrees with the detention seizure or disposal of their vehicle they have the right to appeal the decisionppGDPR General Data Protection Regulation regulations apply in Ireland and organizations are required to take data incidents seriously and notify both the relevant authorities and affected individuals promptly GDPR grants individuals the right to have their personal data protected and to be informed about data breaches that may affect them If you ever receive such notice or have reason to believe your data may have been exposed online its important to identify and mitigate potential risksppDepending on the type of data that was exposed there are different things that you can do In cases where financial data may have been exposed you should monitor your bank and credit card statements for any unauthorized or suspicious transactions If you notice anything out of the ordinary you should act fast to report it to your bank or freeze the account Another serious potential risk is criminals using identification documents exposed online for identity theft This includes criminals impersonating you obtaining financial services in your name and even using the documents as a template to create fake IDs Monitoring your credit reports or subscribing to a credit monitoring service can help to detect any signs of identity theft and limit the damages or fraudulent accountsppAs an ethical cyber security researcher I never download or extract the information that I find I access exposed databases only to the extent necessary to confirm their nature and the potential risks involved I never manipulate change or interfere with the data I do however take a limited number of redacted screenshots for verification purposes to validate my findings which I delete after reporting the discovery I publish my findings in cases where a large number of private citizens data was exposed or when it serves the public good to be aware of a potential exposure Our role is to provide accurate and timely information to the public In doing so we aim to maintain a neutral stance reporting only the facts of the discovery as well as the potential risks associated with any data exposureppIt is essential to clarify that our reporting of this data incident should not be construed as an accusation of wrongdoing on the part of the private contractors Data breaches can happen to even the most diligent organizations as the landscape of cyber threats is everevolving and complex Furthermore law enforcement documents or records are especially coveted by malicious hackers as they contain plenty of PII that could be used for financial and phishing scamsppOur findings and report are based on the data available at the time of discovery We do not claim to have comprehensive knowledge of the full scope implications or origins of the exposure It is unknown exactly how long the database and the documents were publicly exposed before I sent the responsible disclosure notice and the database was restricted from public access Nor do we know if anyone else gained access to the database and records However we do not imply that the records or personal information of individuals who had their automobiles seized members of the Garda or private contractors was ever at risk or accessed by anyone else The intent behind our report is not to assign blame but to inform our readers and the general public about the data exposure incident Our goal is to promote cyber security awareness and constructive dialogue to mitigate the potential impact of the breach and contribute to a safer cyberspaceppCybersecurity researcher at vpnMentor and CoFounder of Security DiscoveryppJeremiah finds and reports data breaches and vulnerabilities He identifies real world examples of how exposed data can be a much bigger risk to personal privacy Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world ppJeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen What started as digital treasure hunting quickly became more than a hobby He quickly became a well known security researcher and thought leader frequently appearing in the newsppHe has been a keynote speaker at multiple security conferences and has given lectures and webinars to startups and Fortune 100 companies on the topics of cyber security privacy and data protection Jeremiah lives by the saying Do what you love and you will always love what you doppShare it with your friendsp
vpnMentor contains reviews that are written by our community reviewers These take into consideration the reviewers independent and professional examination of the productsservices pp
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacyrelated stories Today our team of hundreds of cybersecurity researchers writers and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC which also owns the following products ExpressVPN CyberGhost ZenMate Private Internet Access and Intego which may be reviewed on this website pp
vpnMentor contains reviews that follow the strict reviewing standards including ethical standards that we have adopted Such standards require that each review will take into consideration the independent honest and professional examination of the reviewer That being said we may earn a commission when a user completes an action using our links at no additional cost to them On listicle pages we rank vendors based on a system that prioritizes the reviewers examination of each service but also considers feedback received from our readers and our commercial agreements with providers pp
The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards Such standards ensure that each review prioritizes the independent professional and honest examination of the reviewer and takes into account the technical capabilities and qualities of the product together with its commercial value for users The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website ppCybersecurity Researcher Jeremiah Fowler discovered and reported to vpnMentor about a nonpassword protected database that contained over 500k records containing identification documents and other potentially sensitive information The documents appear to be associated with the Irish National Police Database of automobile seizures and the private towing and storage contractorsppThe database contained records from numerous private towing and storage companies acting as private contractors on behalf of Garda Síochána also known as the Irish national police service The records included notices of automobile seizure as well as destruction notices release documents scanned identification documents insurance investigation inquiries certificates of vehicle registration and other documentation relevant to the detention of a vehicle Additionally there were spreadsheets and monthly reports that included vehicle and registration information names of vehicle owners contractor information and other potentially sensitive data The total number of documents was 521043 with a total size of 2718 GBppUnder Irish law when a vehicle is detained the registered owner must present several documents including identification insurance documentation receipts for taxes and the payment for recoverystorage charges Based on what I saw in the database it is estimated that there are approximately 2 to 5 documents related to each individual case Considering the half a million records contained in the database this means that an average of 150000 vehicle owners could be potentially affected by the breach I couldnt find any publicly available official information regarding the total number of vehicles seized per year but an article from the Irish Examiner from 2020 claimed that approximately 2500 vehicles are detained each month equating to 30000 per year Considering the records I saw spanned multiple years going as far back as 2017 these numbers are consistent with our previous estimation of the number of people potentially affected by the breachppInitially I couldnt determine exactly who owned the database because of the number of towing and storage companies listed in the documents The only common denominator in all of the documents was the Garda Síochána so I promptly sent a responsible disclosure notice directly to them hoping they would take action to secure the exposure The database was restricted later that day and although the records all mentioned the Garda it appears they did not own or manage the database and it belonged to a private technology contractor based in Limerick Ireland The technology contractor acted quickly and professionally they reached out to me to confirm that the records were secure and to ensure that there was no malicious intent in my discovery and disclosure During the call we went over the timeline of my discovery to assist in their forensic audit and assess who else may have accessed the exposed records It appears that the Garda Síochána outsources the technology management towing and storage to private contractors Although the records indicate they are officially related to Gardas seizure and storage of vehicles it is important to note that the Garda Síochána was not directly responsible for the misconfigured cloud storage repository that resulted in the data breachppIn Ireland Section 41 S41 of the Road Traffic Act 1994 stipulates that the Garda Síochána has the authority to seize and retain a vehicle for certain reasons such as ensuring road safety law enforcement and compliance with road traffic regulations The tasks of seizing towing and storing these vehicles are carried out by private towing companies who are authorized by the Garda In 2022 the Garda published a document online that lists 36 private towing companies Owners of the vehicles are required to pay a 125 fine plus 35 for every 24 hours the car was kept in storageppAccording to a report in the Irish Examiner in 2020 an internal audit found that Garda Síochána loses a massive amount of money each year due to automobile owners not paying to recover their seized vehicles In 2018 alone the Garda Síochána spent an estimated 104m on towing and storage of seized vehicles while payments recovered from the car owners was just over 2m The report estimated losses at 20 million between 2016 and 2018 with the trend suggesting that losses will continue to increase each year I saw numerous waivers of ownership documents where citizens give up their property to the police when they cant pay the fines and storage fees or they no longer want their vehicle The database also contained numerous Freedom of Information Act request documents that identified other expenses or budget detailsppVehicles can be detained under S41 of the Irish Road Traffic Act 1994 for various reasons for instance ifppThe Garda can dispose of a vehicle that has been detained removed or held in storage if it has not been claimed within 21 days or if the fines and fees have not been paid If the vehicle owner disagrees with the detention seizure or disposal of their vehicle they have the right to appeal the decisionppGDPR General Data Protection Regulation regulations apply in Ireland and organizations are required to take data incidents seriously and notify both the relevant authorities and affected individuals promptly GDPR grants individuals the right to have their personal data protected and to be informed about data breaches that may affect them If you ever receive such notice or have reason to believe your data may have been exposed online its important to identify and mitigate potential risksppDepending on the type of data that was exposed there are different things that you can do In cases where financial data may have been exposed you should monitor your bank and credit card statements for any unauthorized or suspicious transactions If you notice anything out of the ordinary you should act fast to report it to your bank or freeze the account Another serious potential risk is criminals using identification documents exposed online for identity theft This includes criminals impersonating you obtaining financial services in your name and even using the documents as a template to create fake IDs Monitoring your credit reports or subscribing to a credit monitoring service can help to detect any signs of identity theft and limit the damages or fraudulent accountsppAs an ethical cyber security researcher I never download or extract the information that I find I access exposed databases only to the extent necessary to confirm their nature and the potential risks involved I never manipulate change or interfere with the data I do however take a limited number of redacted screenshots for verification purposes to validate my findings which I delete after reporting the discovery I publish my findings in cases where a large number of private citizens data was exposed or when it serves the public good to be aware of a potential exposure Our role is to provide accurate and timely information to the public In doing so we aim to maintain a neutral stance reporting only the facts of the discovery as well as the potential risks associated with any data exposureppIt is essential to clarify that our reporting of this data incident should not be construed as an accusation of wrongdoing on the part of the private contractors Data breaches can happen to even the most diligent organizations as the landscape of cyber threats is everevolving and complex Furthermore law enforcement documents or records are especially coveted by malicious hackers as they contain plenty of PII that could be used for financial and phishing scamsppOur findings and report are based on the data available at the time of discovery We do not claim to have comprehensive knowledge of the full scope implications or origins of the exposure It is unknown exactly how long the database and the documents were publicly exposed before I sent the responsible disclosure notice and the database was restricted from public access Nor do we know if anyone else gained access to the database and records However we do not imply that the records or personal information of individuals who had their automobiles seized members of the Garda or private contractors was ever at risk or accessed by anyone else The intent behind our report is not to assign blame but to inform our readers and the general public about the data exposure incident Our goal is to promote cyber security awareness and constructive dialogue to mitigate the potential impact of the breach and contribute to a safer cyberspaceppCybersecurity researcher at vpnMentor and CoFounder of Security DiscoveryppJeremiah finds and reports data breaches and vulnerabilities He identifies real world examples of how exposed data can be a much bigger risk to personal privacy Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world ppJeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen What started as digital treasure hunting quickly became more than a hobby He quickly became a well known security researcher and thought leader frequently appearing in the newsppHe has been a keynote speaker at multiple security conferences and has given lectures and webinars to startups and Fortune 100 companies on the topics of cyber security privacy and data protection Jeremiah lives by the saying Do what you love and you will always love what you doppShare it with your friendsp