The ANPR system (automatic number-plate recognition system) managed by Sheffield City Council was left exposed to the internet, thereby exposing 8.6 million records of road journeys to anyone with an Internet connection.
Recently, The Register reported that by entering the IP address of the ANPR system’s internal management dashboard to a web browser, any Internet user could access millions of logs related to vehicle movements in and around the Sheffield county. The database was not protected by any login username or password and exposed which vehicles travelled through Sheffield’s road network, identified by their number plates.
Tony Porter, Britain’s Surveillance Camera Commissioner, has demanded a full investigation into the incident. “As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident. I will focus on the comprehensive national standards that exist and look towards any emerging compliance issues or failure thereof,” he said.
Eugene Walker, the executive director of resources at Sheffield City Council, along with Assistant Chief Constable David Hartley of South Yorkshire Police, told the Register that “we take joint responsibility for working to address this data breach. It is not an acceptable thing to have occurred. However, it is important to be very clear that, to the best of our knowledge, nobody came to any harm or suffered any detrimental effects as a result of this breach.”
The Information Commissioner’s Office was notified by Both Sheffield City Council and South Yorkshire Police and an investigation has been initiated to identify the root cause of this incident and recommend steps to avoid such exposure in the future.
Over 8.6 million records of vehicle movements exposed online
The Register stated that “a total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week” and “this number constantly grew as more and more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles were logged along with timestamps.”
“One camera alone recorded at least 13,000 number plates on Thursday, April 13 – having previously captured 21,000 on Monday, February 24, before the UK entered its coronavirus lockdown,” it added.
In January 2018, when presenting his Annual Report for 2016-17 to the Home Secretary, surveillance camera commissioner Tony Porter not only called for greater transparency in Automatic Number Plate Recognition (ANPR) and other surveillance technologies, but also announced that his department was ‘developing standards for manufacturers, developing buyers guide for surveillance camera systems, training and horizon scanning’.
‘Much frustration still exists amongst the public and purchasing community that equipment fails too easily or quickly degrades thereby rendering the equipment obsolete and also more vulnerable to cyber attack,’ he said.
Aside from alerting operators about the risk from hackers and state actors, Porter also called for more responsibility from operators to ensure that such systems are not used in a way that they compromise the privacy of citizens.
‘Bad surveillance is conducted when these standards are absent, where the public lacks confidence in its presence and operation, and are confused about where accountability for its use and regulatory accountability lies,’ he warned.