Irish cops data debacle exposes half a million motorist records
Details of civilians and Garda officers were included, as well as high-res scans of identity documents
A third-party contractor running a database without password protection exposed more than 500,000 records related to vehicle seizures by the Irish National Police (An Garda Síochána, "Garda").
Security researcher Jeremiah Fowler found various records dating back to 2017 including scanned identity documents, insurance investigation inquiries, certificates of vehicle registration, and other potentially sensitive data.
Incident summary reports were also among the documents exposed. These included names and details of drivers, witnesses, and multiple Garda officers.
Fowler's investigation revealed "approximately 2 to 5 documents related to each individual case" exposed on the database, an insight he extrapolated to predict around 150,000 vehicle owners being affected by the incident.
The vehicle seizures were carried out by the Garda, but the database is entirely owned and operated by an unnamed, Limerick-based contractor, which was reportedly highly responsive to reports and remediated the issue promptly.
Asked about the findings, a Garda spokesperson told The Register: "We don't comment on third-party materials."
It offered a more substantial response to the Irish Independent newspaper, saying an investigation had been launched "immediately."
"Under An Garda Síochána's contract with individual towing companies, there are clear obligations on individual towing companies to protect any information supplied to them by An Garda Síochána including personal data," the spokesperson told the publication.
"This obligation also extends to situations where individual towing companies provide this information to a third party for storage purposes."
During the disclosure process, Fowler told The Register that he wasn't privy to whether there was evidence to suggest malicious actors had accessed the database or exfiltrated data.
He believes the access to the public cloud storage repository could have been set to "public" in error, since access needed to be open to multiple organizations, including the police and towing and storage companies.
"These documents are needed for the towing and storage companies and the police to have access at any time, and this could have been where the mistake occurred and public access was opened," he said.
"It is a huge pain in the ass to enter a password for each document, but someday we will need to sacrifice convenience for security. It will be painful but I believe the days of the one database full of everything will be extinct in the future."
Mounting police breaches
The latest revelation follows a long line of stories related to various police forces in the UK all reporting data incidents in recent months.
- Northern Ireland police may have endangered its own officers by posting details online in error
- Cumbrian Police accidentally publish all officers' details online
- You're not seeing double – yet another UK copshop is confessing to a data leak
- More UK cops' names and photos exposed in supplier breach
It all started with the Police Service of Northern Ireland (PSNI) posting a spreadsheet full of names and locations of its serving officers back in August, as well as civilian staff members.
The incident occurred due to the PSNI mistakenly posting online a response to a request made under the Freedom of Information Act 2000 (FoI) with too much information.
Speaking at the time, the Chair of the Police Federation for Northern Ireland, Liam Kelly, said that if home addresses had been included in the leak, the PSNI would have faced "a potentially calamitous situation."
Days later, Cumbria Constabulary became the second police force in the country to disclose officers' personal information. This time it was the names, salaries, and allowances of all officers.
The force confirmed in a statement that human error was to blame when the document was uploaded to its website in March.
Again, just days later in what was a wild fortnight for police data leaks, Norfolk and Suffolk police forces confirmed they had leaked raw crime report data in FoI responses.
London's Met Police followed suit later in August, disclosing that a third-party breach exposed officers' names, photos, salaries, and more.
Greater Manchester Police also announced in September that a third-party supplier of ID badges had been attacked with ransomware, which then led to theft of data relating to the names and photos of its officers. ®