back to article London council 'failed to test' parking ticket app, exposed personal info

A London council has been fined £70,000 after design faults in its TicketViewer app allowed unauthorised access to 119 documents containing sensitive personal information. The parking ticket application, set up in 2012, was developed by Islington council's internal application team for the authority's parking services. It …

  1. Your alien overlord - fear me

    Does Islington council offer a 20% discount if the punter pays their fine early?

    1. Anonymous Coward
      Anonymous Coward

      Does Islington council offer a 20% discount if the punter pays their fine early?

      Very possibly. I recently got a penalty notice for driving in a "trams only" zone in Nottingham, and the prompt payment discount was 50%. I'd prefer clearer signs rather than a discount PCN, but the signs are all compliant with the Department against Transport's rules, so I suppose only partially Nottingham CC's fault.

      1. Stevie Silver badge

        a 20% discount if the punter pays early

        Here in NY if you try and use the Official Website to pay off your totally bogus fit-up job red light violation* you get charged a grubbing and usurious surcharge for making it easier for the state government.

        This is because they farm out the collection to predatory gits who retask roller-coaster mugshot tech for draconian innocent car driver victimization, who use the Roman Tax Farmer model for revenue generation - a process with the technical name "Skimming".

        If you then decide "the hell with it, I'll send 'em a check by (arthritic) snail-mail in the envelope provided" you find that the envelope provided is emblazoned with the legend "Red Light Violation Guilty Plea Fine Enclosed" in shouty bold right under the mandatory (in these post 9/11 days) return name and address so anyone seeing it knows you are an axe murderer in the making.

        8op 8ob 8op

        Thrrrrrrrrrrrrrp!

        *AKA a fair cop but society is to blame*

        1. Tessier-Ashpool

          Re: a 20% discount if the punter pays early

          Ha! Here in the U.K., if I got a "red light violation" through the post, I suspect certain parts of my anatomy would be violated by an irate wifey.

        2. Valerion

          Re: a 20% discount if the punter pays early

          Here in NY if you try and use the Official Website to pay off your totally bogus fit-up job red light violation* you get charged a grubbing and usurious surcharge for making it easier for the state government.

          I got a parking ticket on Long Island a couple of weeks ago. The only means of payment are via things like "certified check". As a tourist there is no way I could actually pay the thing - there's no go online and pay option*

          So I'll have to wait for the fine to be doubled for not paying early, then be passed to the car rental firm, who will then pass it on to me, no doubt with a hefty admin fee added on. My only slim hope rests on the fact the car was a Canadian rental that I had bought over the border.

          *Shouldn't be too surprised given even Chip and Pin is a recent phenomenon over there.

          1. Anonymous Coward
            Anonymous Coward

            Re: a 20% discount if the punter pays early

            "As a tourist there is no way I could actually pay the thing"

            Don't worry, the extradition demand is on its way.

  2. John Smith 19 Gold badge
    Unhappy

    So yeat another case of "Don't re-check system generated data that's been read back in."

    This of course will go on happening until PHB level staff are made seriously accountable (IE have to pay it themselves or do jail time) before anything really changes.

    1. iron Silver badge

      Re: So yeat another case of "Don't re-check system generated data that's been read back in."

      Did you mean to post that comment in relation to some other article? This mistake in this article was failing to configure a web server properly, nothing to do with checking data.

      1. John H Woods Silver badge

        Re: So yeat another case of "Don't re-check system generated data that's been read back in."

        The content of a URL is data! Are you a PHB?

  3. Daedalus Silver badge

    Early bird

    "The council added that it had taken advantage of the reduced fine offered by the ICO for early payment, which cut the costs to £56,000."

    No doubt they sent in evidence of disability and finances as well.

  4. m0rt Silver badge

    "The ICO said that the folder browsing functionality in the web server was misconfigured and that the application had design faults."

    I would still argue what are these details doing sitting on a webserver, period?!

  5. Frank Bitterlich
    Pirate

    Did they throw him into jail?

    What happened to the dude hacker terrorist who discovered that fiddling with the URL allowed access to other people's data? Surely they must have thrown him into jail for this nefarious use of the URL bar illegal high-tech hacking tools?

    1. Aladdin Sane Silver badge

      Re: Did they throw him into jail?

      They've passed the info onto the feds for the next time he visits The Land of the Freemium™.

  6. Stevie Silver badge

    Bah!

    Good. That'll teach the scofflaw illegal parking louts.

    Maybe a damn good doxxing will succeed where the law has failed.

    Fought wars, rationing, youth of today, thrashing too good, Mafeking, The Blitz, BBC Home Service, etc, more etc.

  7. Anonymous Coward
    Anonymous Coward

    Public service and fines

    Ugh... another public body getting fined. Does this now mean that Islington can't afford to pay a social worker and they reduce their quality of service to the people that need it? I don't have an issue with the need to fine organisations that don't fulfil their duty of care to data protection, but I hate the fact that we financially penalise these organisations that are already cash strapped. There MUST be an alternative - make them spend the equivalent fine on the technology or people needed to protect the data in the first place!?

    1. FlamingDeath Bronze badge

      Re: Public service and fines

      The question on my mind is where do the fines go?

      Who pockets it

      I bet it goes into some slushfund

      1. Anonymous Coward
        Anonymous Coward

        Re: Public service and fines

        The fine goes back to the treasury, not the ICO.

  8. mikey887

    I would have liked to see this exposed once GDPR comes into force

    1. indigomm

      Was thinking just the same. But under GDPR, how do you work out the cost paid for a public organisation? Is it calculated on total income from tax, revenues etc.?

      1. Anonymous Coward
        Anonymous Coward

        Exactly the same way it is done now. The upper limit is just that, and not the mandatory fine.

  9. nsld

    Tax roundabout

    So the taxpayers of Islington have paid for the incompetence of the council that they pay for.

    Whats the betting that none of the in house staff at Islington responsible for this have been fired?

    The council should be within its rights to fire them, and sue them for the costs incurred as well.

    1. Why Not?

      Re: Tax roundabout

      Unfortunately the one sacked will be the janitor not a manager.

    2. veti Silver badge

      Re: Tax roundabout

      The taxpayers of Islington are the ones who saved money by not testing the system in the first place. It's completely appropriate that they should be the ones to foot the bill now.

      And those same taxpayers of Islington are, of course, completely within their rights to fire the councillors associated with the project, who are the only people you can reasonably argue are 'responsible'. They'll get a chance to do that next May.

  10. FlamingDeath Bronze badge

    "folder browsing functionality in the web server was misconfigured"

    Who did they outsource it to, TalkTalk?

    "Islington council's internal application team"

    Haha yeah pull the other one

  11. Anonymous Coward
    Anonymous Coward

    A concerned user

    Is URL manipulation classed as hacking?

    1. Hans 1 Silver badge
      Joke

      Re: A concerned user

      Using a non-standard, ie, no-IE browser is considered "hacking" these days ...

    2. Anonymous Coward
      Anonymous Coward

      Re: A concerned user

      If you're talking about legal terms, have a look at the case of Daniel Cuthbert: https://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019