hsb98c   18 #25 Posted April 29, 2020 (edited) 4 hours ago, Planner1 said: I think I might disagree with you there. The average internet user would not know a vulnerability was there or how to find the data. You said yourself that there are systems “trawling” for vulnerabilities, which fits perfectly the analogy of the door being unlocked, but most people wouldn’t know unless they went up and tried the door.  As I’ve already said, I understand GDPR and how registration plate data should be treated. Something went wrong in this instance and it appears that things haven’t been done the way they should. The relevant authorities (ICO) are aware and looking into it, as I’d imagine are the system owners and the vulnerability appears to have been fixed. I’d suspect we’ll not hear much more about it officially till the ICO have completed their investigations, which is normally a good while,  so there isn’t much more to say really. I'm sorry, this is atrocious of the council to have left it open or anywhere near the internet.  The councils reaction of 'no harm no foul' isn't how the law works (ask those found guilty of attempted murder - no harm no foul ?).  The council have a computer system, probably VPN and I'm sure other systems require you to be inside the network.  Someone,  somewhere within the council actively decided none of this protection or security was required and THAT person/people shouldn't wait for the ICO and should be escorted out of the council ASAP and made to pay any fine directly.  Isn't anything more to say?  How about the council saying sorry?  Their non-apology doesn't stop them doing something - like reassuring  us that the people behind this haven't developed any other council systems. Edited April 29, 2020 by hsb98c Share this post Link to post Share on other sites Share this content via...
Planner1   428 #26 Posted April 30, 2020 3 hours ago, hsb98c said: I'm sorry, this is atrocious of the council to have left it open or anywhere near the internet.  The councils reaction of 'no harm no foul' isn't how the law works (ask those found guilty of attempted murder - no harm no foul ?).  The council have a computer system, probably VPN and I'm sure other systems require you to be inside the network.  Someone,  somewhere within the council actively decided none of this protection or security was required and THAT person/people shouldn't wait for the ICO and should be escorted out of the council ASAP and made to pay any fine directly.  Isn't anything more to say?  How about the council saying sorry?  Their non-apology doesn't stop them doing something - like reassuring  us that the people behind this haven't developed any other council systems. How do you know it was the council or somebody who works for them? Could it not have been a contractor?  I think likening it to attempted murder is a bit much.  Whether or not any penalty is applied and if it is, what type of penalty depends on numerous factors:  GDPR fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”. Any fine you might receive will depend on: The type of infringement, how severe it was and how long it lasted; Whether it was deliberate or accidental; The action you took to reduce the damage to individuals (data subjects); Your security measures; Whether this is your first GDPR infringement; How cooperative you were when fixing the issue; The types of personal data involved; Whether you notified the supervisory authority yourself; and Whether you adhere to any approved codes of conduct or certification schemes If a matter is being investigated internally or externally, it is often the case that no-one discusses the case in public before investigations are complete, as they don’t want to prejudice the outcome.  None of us know exactly what happened, how, why and exactly who is responsible. Speculating on it helps no-one.  You’re entitled to your opinions, but employment law doesn’t work in the way you suggest. Also interesting that you are all for the rights of people to have their data protected, but appear not to care a fig about the rights of employees.  I remember last time this very subject was discussed on here, people also thought the Council were breaching data protection regulations. Complaints were made and the ICO investigated. They found no issues that concerned them and no action was taken.  In the current case, we don’t know the full facts, so we will just have to let the regulators investigate it and see what they think to it. Share this post Link to post Share on other sites Share this content via...
the_bloke   17 #27 Posted April 30, 2020 12 hours ago, altus said: What the average internet user would do is irrelevant. In real life the average person doesn't go looking for unlocked doors but people up to nefarious purposes do. The risk is from those people, not the average person. This. Exactly this.  Security by obscurity is not security and if anyone at SCC thought it was they should be sacked. It's the first thing any network admin is taught. Share this post Link to post Share on other sites Share this content via...
Resident   1,185 #28 Posted April 30, 2020 3 hours ago, the_bloke said: This. Exactly this.  Security by obscurity is not security and if anyone at SCC thought it was they should be sacked. It's the first thing any network admin is taught. Obviously SCC admins aren't taught anything. However it doesn't surprise me. I was once in possession of several ex-council PCs that I was repurposing for a charity. These were machines that were rescued from going into GENERAL waste channels. All of them had hardrives that still had the OS and were fully operational, like they had just come off the desk. Software that was password protected was easy to bypass as pretty much every one was one of the top ten most commonly used passwords.  Obviously I destroyed all the data on the drives with multi passes of data destroyer software.  @Planner1  I take exception at you defending the council on this one by stating it could have been a contractor. The council hire contractors and as such should have some form of oversight, especially over services that record legally protected sensitive data. It is the responsibility of the council to ensure that the contractorid aware of and is following the law. Share this post Link to post Share on other sites Share this content via...
BigAl1   143 #29 Posted April 30, 2020 2 minutes ago, Resident said: @Planner1  I take exception at you defending the council on this one by stating it could have been a contractor. The council hire contractors and as such should have some form of oversight, especially over services that record legally protected sensitive data. It is the responsibility of the council to ensure that the contractorid aware of and is following the law. yes this is a major bug bear of mine not just here but in general - you contract with a company for something and then if they sub contract some or all of the contract then they pass the buck and refuse to accept responsibility. it is a disgrace and a sign of total contempt for the customer Share this post Link to post Share on other sites Share this content via...
beau carrel   10 #30 Posted April 30, 2020 If you have ever felt that you have been followed somewhere...then this is a way by which nefarious people can trace and follow you.....and the Council is fully responsible for allowing it to happen....It explains so much to me now, they have opened the doors to all manner of people and the problems they may cause us, how do we know that the council does not benefit by this convenient oversight, opening doorways into the lives of others they wish to know about ? Share this post Link to post Share on other sites Share this content via...
Planner1   428 #31 Posted April 30, 2020 10 minutes ago, beau carrel said: If you have ever felt that you have been followed somewhere...then this is a way by which nefarious people can trace and follow you.....and the Council is fully responsible for allowing it to happen....It explains so much to me now, they have opened the doors to all manner of people and the problems they may cause us, how do we know that the council does not benefit by this convenient oversight, opening doorways into the lives of others they wish to know about ? ........and there’s always a conspiracy theory.......... Share this post Link to post Share on other sites Share this content via...
Planner1   428 #32 Posted April 30, 2020 32 minutes ago, Resident said: Obviously SCC admins aren't taught anything. However it doesn't surprise me. I was once in possession of several ex-council PCs that I was repurposing for a charity. These were machines that were rescued from going into GENERAL waste channels. All of them had hardrives that still had the OS and were fully operational, like they had just come off the desk. Software that was password protected was easy to bypass as pretty much every one was one of the top ten most commonly used passwords.  Obviously I destroyed all the data on the drives with multi passes of data destroyer software.  @Planner1  I take exception at you defending the council on this one by stating it could have been a contractor. The council hire contractors and as such should have some form of oversight, especially over services that record legally protected sensitive data. It is the responsibility of the council to ensure that the contractorid aware of and is following the law. And I take exception to you jumping to unsupportable conclusions. “SCC admins aren’t taught anything” You know this how? Because someone, somewhere may have made a mistake, or error of judgement?  So if any of us make a mistake, or do something wrong, we’ve been taught nothing? Have you never made a mistake of any description?  People are human, we make mistakes and do it wrong for many varied reasons.  The truth is that we know very little about this case other than a journo went snooping and found a security vulnerability, which was closed and reported to the appropriate authorities as soon as the owners of the system were notified of it.  Other than that, we know nothing and aren’t likely to find out until the investigations into it are completed.  I find it lamentable that people are far too quick to say people should lose their jobs or have significant financial penalties passported to them. Employers have proper processes for investigating and dealing with misconduct or poor performance. Employees have legal rights and in circumstances of this nature, if my understanding is correct, any fines levied on an organisation by the regulator can’t be passported to an individual employee.  I also find it lamentable that because of one isolated incident, people are so quick to vilify an organisation that does a lot of good work and whose employees generally try their very best to do a good job, under often difficult circumstances ( like constant year on year funding cuts).  Of course people and organisations should be accountable for their actions and the systems and safeguards they put in place should be suitable for the job. However, in my view, we should keep a sense of proportion and not leap to unsupportable conclusions. My experience of the ICO is that they are reasonable people who do a decent job. They’re on the case and will find out the facts. SCC will hopefully address any identified deficiencies.  I will also point out again that people on here thought that SCC were in breach of regulations when they started collecting ANPR data a good few years ago. The ICO investigated their complaints and didn’t agree. Share this post Link to post Share on other sites Share this content via...
Resident   1,185 #33 Posted April 30, 2020 5 minutes ago, Planner1 said: And I take exception to you jumping to unsupportable conclusions. “SCC admins aren’t taught anything” You know this how? Because someone, somewhere may have made a mistake, or error of judgement?  So if any of us make a mistake, or do something wrong, we’ve been taught nothing? Have you never made a mistake of any description?  People are human, we make mistakes and do it wrong for many varied reasons.  The truth is that we know very little about this case other than a journo went snooping and found a security vulnerability, which was closed and reported to the appropriate authorities as soon as the owners of the system were notified of it.  Other than that, we know nothing and aren’t likely to find out until the investigations into it are completed.  I find it lamentable that people are far too quick to say people should lose their jobs or have significant financial penalties passported to them. Employers have proper processes for investigating and dealing with misconduct or poor performance. Employees have legal rights and in circumstances of this nature, if my understanding is correct, any fines levied on an organisation by the regulator can’t be passported to an individual employee.  I also find it lamentable that because of one isolated incident, people are so quick to vilify an organisation that does a lot of good work and whose employees generally try their very best to do a good job, under often difficult circumstances ( like constant year on year funding cuts).  Of course people and organisations should be accountable for their actions and the systems and safeguards they put in place should be suitable for the job. However, in my view, we should keep a sense of proportion and not leap to unsupportable conclusions. My experience of the ICO is that they are reasonable people who do a decent job. They’re on the case and will find out the facts. SCC will hopefully address any identified deficiencies.  I will also point out again that people on here thought that SCC were in breach of regulations when they started collecting ANPR data a good few years ago. The ICO investigated their complaints and didn’t agree. If it had been just one of the thirty-two PCs i had taken possesion of, or just one piece of software with an easy password then yes, I'd have called it a mistake.  The fact that all 32 machines:  A: Hadn't been securely wiped before disposal or entered into a secure waste channel B: Hadn't all but one been "secured" by the easiest passwords in the world, ie password or 12345  shows a level of incompetance far beyond a simple mistake.  The ANPR breach is a massively serious one with possible far reaching consequences. Those responsble for the breach should face harsh penalties including at min the loss of their position. It's an act of gross misconduct at minimum, although I'd probably push for criminal negligence.  One isolated incident you say? SCC's woeful and majorly ineptness is well documented over the years. Share this post Link to post Share on other sites Share this content via...
the_bloke   17 #34 Posted April 30, 2020 43 minutes ago, Planner1 said: People are human, we make mistakes and do it wrong for many varied reasons.  The truth is that we know very little about this case other than a journo went snooping and found a security vulnerability, which was closed and reported to the appropriate authorities as soon as the owners of the system were notified of it.  Other than that, we know nothing and aren’t likely to find out until the investigations into it are completed.  I find it lamentable that people are far too quick to say people should lose their jobs or have significant financial penalties passported to them. Sorry, no. IT security is part of my job. What was exposed was a rudimentary UI to a database of millions of records. It should have been firewalled, password protected and the data should have disposed of after the period of time it was deemed useful and anonymised where possible. This isn't a 'security vulnerability' it's a total loss of security.  This isn't a mistake, it's a total failure from beginning to end. I hope that right now, someone is going through every public facing domain, IP address and port to make sure nothing else is exposed.  I work with data hosted in the cloud; we have strict policies on how it is controlled, who can access it, what level of protection it has and everything is tested before being populated with customer data. Either SCC have a similar process that hasn't been followed - a failure - or they have no process at all - a failure.  Assuming that it's okay because only a journalist found it is naive; just because SCC say no one else accessed it, doesn't mean they didn't. I'm not convinced they have the technical ability to be sure of a claim. Share this post Link to post Share on other sites Share this content via...
the_bloke   17 #35 Posted April 30, 2020 (edited) As an update:  https://techbeacon.com/security/86m-pii-leaked-uk-citys-cctv-db-neology-denies-responsibility  Lawyers representing Neology deny they were responsible for the management of the system, which means SCC was. Even if they shipped it out to a subcontractor, it's still SCC's responsibility.  https://securityboulevard.com/2020/04/lack-of-basic-security-measures-on-sheffields-anpr-system-exposes-8-6-million-records-of-vehicle-movements-and-license-plate-numbers/  If the lack of protection for private information is not enough to fill up your plate, the IT publication also revealed that the servers hosting the ANPR dashboard were home to a storage drive address. It featured millions of snapshots taken from the county’s 100 surveillance cameras that provide a constant feed to the system, including license plates, faces of drivers or passengers and nearby pedestrians. Edited April 30, 2020 by the_bloke Share this post Link to post Share on other sites Share this content via...
Planner1   428 #36 Posted April 30, 2020 3 hours ago, the_bloke said: As an update:  https://techbeacon.com/security/86m-pii-leaked-uk-citys-cctv-db-neology-denies-responsibility  Lawyers representing Neology deny they were responsible for the management of the system, which means SCC was. Even if they shipped it out to a subcontractor, it's still SCC's responsibility.  https://securityboulevard.com/2020/04/lack-of-basic-security-measures-on-sheffields-anpr-system-exposes-8-6-million-records-of-vehicle-movements-and-license-plate-numbers/  If the lack of protection for private information is not enough to fill up your plate, the IT publication also revealed that the servers hosting the ANPR dashboard were home to a storage drive address. It featured millions of snapshots taken from the county’s 100 surveillance cameras that provide a constant feed to the system, including license plates, faces of drivers or passengers and nearby pedestrians. It still isn’t clear who has been managing the system. The statements being from SCC And SY Police saying they take joint responsibility tends to indicate it’s a shared system.  SCC’s IT support has been outsourced for many years.  On the first link you provided, one of the commentators mentioned that these issues can be caused by network changes which haven’t been tested properly. So it seems it can be human error following a change, so perhaps not The failing to put any security in place at all scenario which some on here speculate might Have been the case.  Interestingly, your last paragraph above is about what was said in the original article which reported the issue. That article is less categoric and discusses  what is sometimes contained in images of that nature. In your later quote, that appears to be interpreted as what is in those images. Interesting how things get exaggerated.  An infosec researcher who asked not to be named looked at the server hosting the ANPR dashboard, and told us its configuration revealed the existence of an SFTP account as well as the address of a storage drive filled with raw ANPR images. In addition, we were told the IPv4 addresses of each and every camera was exposed through the dashboard.  Typically, ANPR systems consist of regular CCTV cameras feeding a software backend that scans captured still images with optical character recognition technology to isolate and identify number plates. Raw images sometimes capture the faces of drivers and passengers, as well as pedestrians passing by, people entering and leaving homes and shops, as well as anyone they happen to meet in sight of a camera.   Share this post Link to post Share on other sites Share this content via...
