Thousands of drivers have sensitive data exposed to hackers in major IT breach | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Security expert who notified gardaí said he was able to access receipts with debit card details, as well as drivers’ licences and incident summary reports

More than half a million documents exposed include details of insurance investigations, vehicle registration certs, notices of car seizures and payment card details.

The breach was caused by a software error at a Limerick-based IT services firm, which is retained by tow-truck companies working for An Garda Síochána.

Gardaí insist the force is not at fault for the breach, and the Data Protection Commissioner (DPC) is currently trying to establish who, as the controller of the data, is ultimately responsible.

It is unclear how long the security vulnerability was in place, or how many may have accessed the citizen data, made up of 512,000 documents dating back to 2017.

Gardaí were notified of the breach in August by international cyber-security researcher, Jeremiah Fowler.

Mr Fowler said he had discovered an unprotected online database with spreadsheets, vehicle registration information, driving licences and other sensitive data.

The online database was part of a storage system for 11 towing companies which store records of towed cars for An Garda Síochána and other entities.

When notified, An Garda Síochána contacted the Limerick IT services firm and also conducted its own data investigation, which determined that the risk to citizens was “limited”.

However, Mr Fowler said he was able to access receipts with full debit card details, as well as drivers’ licences and incident summary reports.

“This information could potentially lead to unauthorised fraudulent charges,” he said.

He said other accessible data exposed documents marked as “confidential”, including incident summary reports that “contained names and details of drivers, witnesses and multiple Garda officers”.

Many other reports included details such as fees, registration numbers and names of individuals, he said.

“Numerous other documents marked as confidential were publicly exposed,” added Mr Fowler.

The images exposed were high-resolution scans of sensitive personal documents that could be used for identity theft or scams including emails and texts.

A garda spokesperson said a data investigation was launched “immediately” after Mr Fowler brought the matter to its attention.

“Under An Garda Síochána’s contract with individual towing companies, there are clear obligations on individual towing companies to protect any information supplied to them by An Garda Síochána including personal data,” the spokesperson said.

“This obligation also extends to situations where individual towing companies provide this information to a third party for storage purposes.”

The spokesperson said 11 towing companies, used by An Garda Síochána and other state bodies, are contracted with the Limerick-based IT services company to store their data on the “cloud”.

When contacted, the owner of the IT services company said the issue arose when applying a new release of software for the data service provided to the firms.

Describing the issue as an “error”, he said his firm was providing an outsourced service for the towing companies and other firms involved and was not directly contracted by An Garda Síochána. He also said most of the exposed data was not related to An Garda Síochána.

He said the firm made the database secure within 70 minutes of being notified about the vulnerability and subsequently conducted a forensic audit. He said that firm acted in accordance with data privacy and legal protocols in contacting relevant authorities, including the Data Protection Commissioner.

A spokesperson for the DPC said that although it has received a breach notice from the IT services company, it was not as data controller, meaning that the IT services firm was not ultimately responsible for safeguarding the information.

It is understood that the DPC is now seeking to establish who, ultimately, is responsible as data controller of the exposed data.

Mr Fowler said it would not have been difficult for a hacker or an IT expert to access the exposed data. “The only thing needed to view it, once you had the database name, was the native browser tool,” he said. “No specialised software would have been required.”


Click Here For The Original Story From This Source.

National Cyber Security