Newcastle City Council stores credit card transactions on unsecured server
A penetration tester hired by Newcastle City Council discovered on 19th July that a server which stores transaction details relating to business rates, council tax, council rents and parking fines, has been accessible from the public internet since February 2006. The council took several days to disclose the findings, including the information that a file containing the credit card details of some 54,000 data subjects has apparently been downloaded by a computer in Israel. Fortunately for all concerned, the credit card numbers were apparently encrypted and the council does not believe that any fraud has resulted from the incident.
This is not an isolated incident in the UK public sector. The push to engage in e-government has put considerable strain on agencies to implement public web services on top of what is often an elderly and evolved rather than planned infrastructure. Leaks of personal information such as this are a not infrequent consequence. The most notable and potentially damaging was the exposure by the NHS MTAS recruitment system in April of the intimate personal details of junior doctors, which forced its complete and, to date, permanent shutdown.
Strictly, incidents of this kind breach Principle seven of the Data Protection Act, which requires "appropriate technical and organisational measures" to be in place to protect personal data. However those who breach Principle seven are seldom if ever prosecuted, and fines not exceeding a few thousand pounds are in any case hardly a deterrent. We must hope that the adverse publicity surrounding such incidents eventually serves where the law is failing, to improve awareness of security obligations within public bodies that store our confidential personal information.