Sheffield City Council's automatic number-plate recognition (ANPR) system in the UK exposed 8.6 million records of road journeys made by thousands of people, The Register reports

The Register claims that ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser, and no login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network. According to The Register, a total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard, and that number constantly grew as more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles that were logged along with timestamps. 

Britain's Surveillance Camera Commissioner Tony Porter described the security lapse as "both astonishing and worrying," and demanded a full probe into the breach. Porter told The Register, "As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident. I will focus on the comprehensive national standards that exist and look towards any emerging compliance issues or failure thereof."

Eugene Walker, Sheffield City Council's executive director of resources, together with Assistant Chief Constable David Hartley of South Yorkshire Police, told The Register, "We take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach."

The dashboard was taken offline within a few hours of The Register alerting officials. Sheffield City Council and South Yorkshire Police added, "As soon as this was brought to our attention we took action to deal with the immediate risk and ensure the information was no longer viewable externally. Both Sheffield City Council and South Yorkshire Police have also notified the Information Commissioner's Office. We will continue to investigate how this happened and do everything we can to ensure it will not happen again."

Fausto Oliveira, Principal Security Architect at Acceptto, says that this is extremely concerning and demonstrates a series of gaps that he has pointed out several times in the past when talking about IoT. "I cannot understand why 3M or Neology didn't ship their systems with a set of security controls that would have prevented this incident from happening in the first place. There is no reason why a system that has access to so much private data is exposed on the Internet. There is absolutely no reason why such a system wouldn't enforce good authentication practices and require a form of Multi-Factor Authentication (MFA), after all, we are talking about tracking the movement of members of the general public. Access to such a system should be secured and access to this system should only be granted to members of the organization that have a legitimate legal / business need," he says.

To make matters worse, Oliveira adds, the fact that the web cameras are accessible from the Internet, without any form of protection, is opening "the door for any attacker to be able to obtain information about potential victims such as what is their habitual way to work, what time they leave, places they frequent, etc… With some sophistication, attackers could set up a surveillance system of their own to track the whereabouts of their victims. In the end, and in light of GDPR, the general public will have to pay the cost of this event twice. Firstly by losing their privacy and secondly, and I sincerely hope this happens, when the UK ICO fines the council for breaching the privacy of the general public diverting essential financial resources.”

Terence Jackson, Chief Information Security Officer at Thycotic, says, “This highlights the importance of having a mature risk management program. We have to treat risk as a continuous effort and not a point in time snapshot. In many networks systems come and go, but is there an audit trail or formal change management process to track them? You can’t protect what you do know exist. Misconfigurations do happen, however there should be a trail leading back to who approved the change and why? This incident is indeed worrisome, but unfortunately, not uncommon.”

Cybersecurity best practices would suggest that sensitive data should always be protected by reliable access controls, says Arun Kothanath, Chief Security Strategist at Clango. "Credentials can be stolen, passwords can be cracked, but identity and access management (IAM) programs driven by best practices can stop attackers in their tracks. If the Sheffield City Council had implemented an IAM program, then they could have controlled who had access to the ANPR camera system's internal management dashboard and effortlessly thwarted the attack. By controlling who can access what in an IT environment, an organization can effectively defend against even the most sophisticated cyberattacks," notes Kothanath.