London council 'failed to test' parking ticket app, exposed personal info

A London council has been fined £70,000 after design faults in its TicketViewer app allowed unauthorised access to 119 documents containing sensitive personal information.

The parking ticket application, set up in 2012, was developed by Islington council's internal application team for the authority's parking services.

It allowed people issued with a parking ticket in the north London borough to log on using their car registration number and see CCTV images or videos of their alleged offence.

They could then appeal this ticket by sending supporting evidence – which might include details of health issues, disabilities or finances – to the council by email or post. The back office would scan and upload this information into the system as a ticket attachment folder.

That brought together a person's car reg, name, address and potentially medical and financial details – so you'd hope the council had properly tested the system.

But it seems this was not to be, and in October 2015 a concerned citizen alerted the council to the fact that these ticket attachment folders could be accessed if a user tweaked the URL.

Between the launch of the site in 2012 and the date the issue was reported, 825,000 parking tickets had been issued and 270,000 appeals received.

On October 25, 2015, the ticket attachment folders contained personal data relating to 89,000 users while internal testing showed that 119 documents had been accessed a total of 235 times from 36 unique IP addresses.

That information was related to 71 users – although an investigation by the UK's data protection watchdog found that there was no evidence that anyone had actually been harmed by the breach.

However, the Information Commissioner's Office found that the council had failed to take proper technical measures to stop unauthorised access to the information, and handed it a £70,000 fine (PDF) for breaching the Data Protection Act.

The ICO said that the folder browsing functionality in the web server was misconfigured and that the application had design faults.

"The council should have tested the system both prior to going live and regularly after that," it said.

"For no good reason, Islington appears to have overlooked the need to ensure that it had robust measures in place despite having the financial and staffing resources available."

The council notified both the ICO and the people whose data was exposed and, in a statement sent to The Register today, once again apologised for the breach.

"We remain very sorry about the previous TicketViewer problem and agree with the ICO that we failed to meet the required data protection standards back in 2015," a spokesperson said.

"As soon as we were aware of the problem we took every possible action to prevent a recurrence and instructed auditors to carry out a thorough review so we could learn from our mistake."

The council added that it had taken advantage of the reduced fine offered by the ICO for early payment, which cut the costs to £56,000. ®