Thousands of drivers have sensitive data exposed to hackers in major IT breach Independentie
pSecurity expert who notified gardaí said he was able to access receipts with debit card details as well as drivers licences and incident summary reports
ppThousands of motorists have sensitive licence data exposed to hackers in major Garda towing firm IT breach ppThe driving licences of thousands of motorists who had vehicles towed on behalf of the gardaí were left at the mercy of hackers in a major data breach the Irish Independent can revealppMore than half a million documents exposed include details of insurance investigations vehicle registration certs notices of car seizures and payment card detailsppThe breach was caused by a software error at a Limerickbased IT services firm which is retained by towtruck companies working for An Garda SíochánappGardaí insist the force is not at fault for the breach and the Data Protection Commissioner DPC is currently trying to establish who as the controller of the data is ultimately responsibleppIt is unclear how long the security vulnerability was in place or how many may have accessed the citizen data made up of 512000 documents dating back to 2017ppGardaí were notified of the breach in August by international cybersecurity researcher Jeremiah FowlerppA disclaimer noticeppMr Fowler said he had discovered an unprotected online database with spreadsheets vehicle registration information driving licences and other sensitive datappThe online database was part of a storage system for 11 towing companies which store records of towed cars for An Garda Síochána and other entitiesppWhen notified An Garda Síochána contacted the Limerick IT services firm and also conducted its own data investigation which determined that the risk to citizens was limitedppHowever Mr Fowler said he was able to access receipts with full debit card details as well as drivers licences and incident summary reportsppAn incident summary reportppThis information could potentially lead to unauthorised fraudulent charges he saidppHe said other accessible data exposed documents marked as confidential including incident summary reports that contained names and details of drivers witnesses and multiple Garda officersppMany other reports included details such as fees registration numbers and names of individuals he saidppNumerous other documents marked as confidential were publicly exposed added Mr FowlerppA receipt containing debit card detailsppThe images exposed were highresolution scans of sensitive personal documents that could be used for identity theft or scams including emails and textsppA garda spokesperson said a data investigation was launched immediately after Mr Fowler brought the matter to its attentionppUnder An Garda Síochánas contract with individual towing companies there are clear obligations on individual towing companies to protect any information supplied to them by An Garda Síochána including personal data the spokesperson saidppThis obligation also extends to situations where individual towing companies provide this information to a third party for storage purposesppThe spokesperson said 11 towing companies used by An Garda Síochána and other state bodies are contracted with the Limerickbased IT services company to store their data on the cloudppA vehicles release reportppWhen contacted the owner of the IT services company said the issue arose when applying a new release of software for the data service provided to the firmsppDescribing the issue as an error he said his firm was providing an outsourced service for the towing companies and other firms involved and was not directly contracted by An Garda Síochána He also said most of the exposed data was not related to An Garda SíochánappHe said the firm made the database secure within 70 minutes of being notified about the vulnerability and subsequently conducted a forensic audit He said that firm acted in accordance with data privacy and legal protocols in contacting relevant authorities including the Data Protection CommissionerppA spokesperson for the DPC said that although it has received a breach notice from the IT services company it was not as data controller meaning that the IT services firm was not ultimately responsible for safeguarding the informationppIt is understood that the DPC is now seeking to establish who ultimately is responsible as data controller of the exposed datappMr Fowler said it would not have been difficult for a hacker or an IT expert to access the exposed data The only thing needed to view it once you had the database name was the native browser tool he said No specialised software would have been requiredp
ppThousands of motorists have sensitive licence data exposed to hackers in major Garda towing firm IT breach ppThe driving licences of thousands of motorists who had vehicles towed on behalf of the gardaí were left at the mercy of hackers in a major data breach the Irish Independent can revealppMore than half a million documents exposed include details of insurance investigations vehicle registration certs notices of car seizures and payment card detailsppThe breach was caused by a software error at a Limerickbased IT services firm which is retained by towtruck companies working for An Garda SíochánappGardaí insist the force is not at fault for the breach and the Data Protection Commissioner DPC is currently trying to establish who as the controller of the data is ultimately responsibleppIt is unclear how long the security vulnerability was in place or how many may have accessed the citizen data made up of 512000 documents dating back to 2017ppGardaí were notified of the breach in August by international cybersecurity researcher Jeremiah FowlerppA disclaimer noticeppMr Fowler said he had discovered an unprotected online database with spreadsheets vehicle registration information driving licences and other sensitive datappThe online database was part of a storage system for 11 towing companies which store records of towed cars for An Garda Síochána and other entitiesppWhen notified An Garda Síochána contacted the Limerick IT services firm and also conducted its own data investigation which determined that the risk to citizens was limitedppHowever Mr Fowler said he was able to access receipts with full debit card details as well as drivers licences and incident summary reportsppAn incident summary reportppThis information could potentially lead to unauthorised fraudulent charges he saidppHe said other accessible data exposed documents marked as confidential including incident summary reports that contained names and details of drivers witnesses and multiple Garda officersppMany other reports included details such as fees registration numbers and names of individuals he saidppNumerous other documents marked as confidential were publicly exposed added Mr FowlerppA receipt containing debit card detailsppThe images exposed were highresolution scans of sensitive personal documents that could be used for identity theft or scams including emails and textsppA garda spokesperson said a data investigation was launched immediately after Mr Fowler brought the matter to its attentionppUnder An Garda Síochánas contract with individual towing companies there are clear obligations on individual towing companies to protect any information supplied to them by An Garda Síochána including personal data the spokesperson saidppThis obligation also extends to situations where individual towing companies provide this information to a third party for storage purposesppThe spokesperson said 11 towing companies used by An Garda Síochána and other state bodies are contracted with the Limerickbased IT services company to store their data on the cloudppA vehicles release reportppWhen contacted the owner of the IT services company said the issue arose when applying a new release of software for the data service provided to the firmsppDescribing the issue as an error he said his firm was providing an outsourced service for the towing companies and other firms involved and was not directly contracted by An Garda Síochána He also said most of the exposed data was not related to An Garda SíochánappHe said the firm made the database secure within 70 minutes of being notified about the vulnerability and subsequently conducted a forensic audit He said that firm acted in accordance with data privacy and legal protocols in contacting relevant authorities including the Data Protection CommissionerppA spokesperson for the DPC said that although it has received a breach notice from the IT services company it was not as data controller meaning that the IT services firm was not ultimately responsible for safeguarding the informationppIt is understood that the DPC is now seeking to establish who ultimately is responsible as data controller of the exposed datappMr Fowler said it would not have been difficult for a hacker or an IT expert to access the exposed data The only thing needed to view it once you had the database name was the native browser tool he said No specialised software would have been requiredp