back to article Irish cops data debacle exposes half a million motorist records

A third-party contractor running a database without password protection exposed more than 500,000 records related to vehicle seizures by the Irish National Police (An Garda Síochána, "Garda"). Security researcher Jeremiah Fowler found various records dating back to 2017 including scanned identity documents, insurance …

  1. b0llchit Silver badge
    Mushroom

    A third-party contractor running a database without password protection...

    That should amount to criminal negligence.

    and then:

    ...have been set to "public" in error, since access needed to be open to multiple organizations, including the police and towing and storage companies.

    That is (criminal) gross incompetence at work. Anybody not applying a segregated and security-in-depth design must be mandated to pay for any and all possible and potential losses from now to eternity for anybody potentially exposed.

    And the C-suite should be publicly flogged.

    1. Yorick Hunt Silver badge
      Thumb Down

      Whenever a "third-party contractor" is involved with a government department, I always wonder whether said "contractor" was just a friend/relative of someone high up in the government department in question. No qualifications, no previous experience, just someone who thinks "yeah, I can click a few things and make this happen."

      If something like this happened in the civilian (i.e., non-government) sphere, you can bet there'd be hefty outrage and commensurate fines involved. As it stands, it's likely to evoke minimal publicity and even less compensation for those affected.

      1. Phil O'Sophical Silver badge

        I doubt it ever makes it to "someone high up in the government department". More likely someone in purchasing is told to "find a supplier", puts out a tender, and chooses the cheapest plausible-sounding response. They see that Seamus Bloggs has "qualified security consultant" on his website, and have no understanding of what that means, or what actual qualifications are needed.

  2. SickNick

    "It is a huge pain in the ass to enter a password for each document..." - this is not the only alternative!

    1. Blazde Silver badge

      The ascetic approach to information security: Since usability and security and are always in tension we must make our secure systems maximally inconvenient to use.

  3. ChrisElvidge Bronze badge

    Do the "half a million records"

    include the numerous references to the Polish driver Prawo Jazdy

  4. Ken Moorhouse Silver badge

    A Limerick-based contractor...

    Here's some input from ChatGPT:-

    In a town where the law had a quirk,

    Car seizures were cause for much irk.

    But a breach in security,

    Threw their plans into obscurity,

    Now the seized cars just drove off with a smirk!

  5. Barry Mahon

    The suggestion that the job was an inside track and involved a tendering process is unlikely.

    Much more likely, in the irish 'public service' i.e. computer stuff, is that the db is part of a routine arrangement to outsource "that sort of stuff" as the Gardai has almost no competence, no supervision, no wish to get involved and no staff capable of doing it.

    The Gardai have an internal online recording thing which has had so many breaches it is like a spiders web.

    At one time there was a requirement to have a Superintendant sign off on queries on drivers, etc. The way that was done was to "put a pile of stuff on the Super's desk as he was going home and he would scribbled the signature on them all"

    Apparently, all has been recently 'upgraded' this story is probably a manifestation of that.

  6. tiggity Silver badge

    Audits

    Would be useful

    I'm guessing from Garda comments, leaks may be due to a vehicle tow company or more likely third party company they use (your average small independent towing company obviously likely to not have dedicated IT team!).

    Given the likely minimal IT skills of "one person & a tow truck" style of tow companies, use of third party data hosts, and the potential sensitivity of data, I'm surprised Garda do not get regular IT security audits done (GDPR needs if nothing else). Or where third party data hosts telling truck companies "all is fine security / GDPR wise" and tow companies pass same message back to Garda?

    A big flaw in GDPR stuff is basically having to take the word of third parties that all is OK - audits are useful (but expensive) and can be hassles getting third parties to agree to an audit, but surprising that what is essentially a part of the "state" does not have audits in place for stuff like that.

    ... though anything govt related often seems to get off lightly on GDPR breaches compared to private companies, so maybe little incentive..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like