Security breach in a traffic camera database exposes information about 8.6 MILLION car trips tied to individual license plates
- Cybersecurity researchers discovered a major flaw in a traffic camera database
- They were able to access the records of every car that passed through traffic cameras in Sheffield, England by entering an IP address into a web browser
- The database contained information about 8.6 million trips
- The records included license plate information, time of day and location data
A pair of cybersecurity researchers have discovered a major breach in a traffic camera database, exposing license plate and travel details from more than 8.6 million car trips.
The breach involved the automatic number-plate recognition (ANPR) system used in Sheffield, England to levy tolls on vehicles traveling into the city center at certain times of day.
The database – which kept records of individual license plates, time of day and intersection location from 100 different cameras placed around the city – could be accessed by entering its IP address into a web browser with no extra passwords or authentication necessary.
Security researchers discovered an enormous breach in the database that kept records from traffic camera footage in Sheffield, England, part of a program that was initially implemented in 2014 to levy tolls on vehicles driving into the city center
The breach was first discovered by security specialist Chris Kubecka and writer Gerard Janssen while using Censys.io, a tool that analyzes web hosts for potential security flaws.
Eugene Walker, Sheffield’s executive director of resources, told The Register that no individuals had been harmed or ‘suffered any detrimental effects’ because of the breach but admitted it was unacceptable.
‘We take joint responsibility for working to address this data breach,’ Walker said in a statement with David Hartley, assistant chief constable of the the South Yorkshire Police. ‘It is not an acceptable thing to have occurred.’
Tony Porter, commissioner of the UK’s surveillance camera oversight organization, was shocked by the news and promised a full investigation.
‘As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident,’ Porter told The Register.
‘I will focus on the comprehensive national standards that exist and look toward any emerging compliance issues or failure thereof.’
3M helped design the camera network and software for the city of Sheffield, which ultimately recorded a database of 8,616,198 trips across 100 traffic cameras placed around the city
Sheffield’s ANPR system was first implemented in 2014 when the city contracted with the American corporation 3M to design the network of traffic cameras.
In 2018, the system began keeping permanent records of every vehicle that passed through every camera, with some cameras logging as many as 21,000 entries in a single day.
In total, the database contained 8,616,198 individual records.
Eugene Walker, Sheffield’s executive director of resources, accepted responsibility for the breach. ‘It is not an acceptable thing to have occurred,’ he said in a joint statement with David Hartley, Assistant Chief Constable of the the South Yorkshire Police
According to Edin Omanovic of Privacy International, a non-profit that advocates for improved data security, the breach is an example of how even well-intentioned surveillance programs can be exploited.
‘Time and again we’ve seen the introduction of surveillance tech for very specific purposes, only to creep into other areas of enforcement,’ Omanovic said.
‘ANPR use must be proportionate to the problem it’s trying to address – it’s not supposed to be a tool of mass surveillance.’
‘Both the council and police have a responsibility to ensure their use is proportionate and subject to a data protection impact assessment.’