Thousands of UK drivers have been caught up in a data breach at a UK parking firm.
A database of parking ticket details held by PaymyPCN.net covering almost 10,000 motorists was mistakenly published online. A security flaw on the private parking firm's website allowed public access to names, addresses, photographs and emails.
Sol Cates, CSO at security vendor Vormetric, commented: “[The] breach at PaymyPCN.net demonstrates that even with basic IT security measures in place, perimeters are still permeable."
“In this case, it appears that, while motorists’ data and fine payments were encrypted once inputted into the PaymyPCN.net website, a backdoor link left the computer database wide open – providing access to private information provided to PaymyPCN.net by the DVLA. Although the information was encrypted, just as important is the control of access to the encrypted information – and this is where PaymyPCN.net appears to have failed," he added.
Cates warned that the compromised data might be abused to craft more convincing social engineering scams down the line.
The breach was unearthed by consumer activist Michael Green after a private parking firm “sent it to a motorist in error,” Sky News reports. PaymyPCN.net reportedly took the site offline in the immediate aftermath of the breach, but it has since returned.
The company told Sky that it is "dedicated to safeguarding motorists' privacy and that transaction details entered into the site are encrypted".
Green recently launched a campaign against the enforcement of parking “fines” on private land, called challengethefine.com, that also protests the DVLA [UK vehicle and driver licensing authority’s] sale of motorists' details to private firms.
PaymyPCN.net is involved in the collection of parking charge notices (PCNs), acting as an agent of both private and public sector parking operators.
El Reg asked the firm to comment but we've yet to hear back. We'll update this story as and when we learn more. ®