In a startling revelation, cybersecurity researcher Jeremiah Fowler has uncovered a severe data breach, exposing a database containing more than half a million records of potentially sensitive information. The exposed data appears to be linked to the Irish National Police Database of automobile seizures and their private towing and storage contractors.
The breached database contained an astonishing 521,043 records, totaling a vast 271.8 GB of data. Among the exposed documents were notices of automobile seizure, destruction notices, release documents, scanned identification materials, insurance investigation inquiries, certificates of vehicle registration, and other documents pertinent to the detention of vehicles. Additionally, the database included spreadsheets and monthly reports encompassing vehicle and registration information, vehicle owners’ names, contractor details, and various other sensitive data.
Under Irish law, vehicle owners whose vehicles are detained are required to present multiple documents, including identification, insurance records, tax receipts, and payment for recovery and storage charges. Given the vast number of records, with an estimated 2 to 5 documents per individual case, it is believed that approximately 150,000 vehicle owners could be affected by this breach. Although the precise number of vehicles seized annually in Ireland remains unclear, historical data suggests that it could reach as high as 30,000 per year, report from vpnMentor said.
Initially, the database’s owner could not be determined due to the numerous towing and storage companies listed in the documents. However, a responsible disclosure notice was promptly sent to the Garda Síochána, the Irish national police service, who appeared to be the common denominator in the documents. The database was secured on the same day, but it was soon revealed that a private technology contractor based in Limerick, Ireland, owned and managed the database. The contractor responded swiftly and professionally, engaging with Fowler to ensure the data was secure and investigating any potential unauthorized access to the exposed records.
It is important to clarify that the Garda Síochána outsources technology management, towing, and storage services to private contractors, and they were not directly responsible for the misconfigured cloud storage repository that led to this data breach.
In accordance with Section 41 (S41) of the Road Traffic Act 1994 in Ireland, the Garda Siochana has the authority to seize and retain vehicles for various reasons, including road safety, law enforcement, and compliance with road traffic regulations. Private towing companies, authorized by the Garda, carry out the tasks of seizing, towing, and storing these vehicles. As of 2022, the Garda had listed 36 private towing companies.
An alarming report in the Irish Examiner in 2020 exposed substantial losses incurred by the Garda Siochana due to vehicle owners failing to recover their seized vehicles. In 2018 alone, the Garda spent an estimated €10.4 million on towing and storage, while recoveries from car owners amounted to just over €2 million. These losses were estimated at €20 million between 2016 and 2018, with the trend suggesting an ongoing increase in losses each year.
The database contained numerous waivers of ownership documents, where citizens relinquished their property to the police due to unpaid fines and storage fees, or because they no longer wanted their vehicles. Additionally, the database exposed various Freedom of Information Act requests that revealed additional expense and budget details.
This breach underscores the critical need for robust data security practices and safeguards within the law enforcement and private contractor sectors to protect sensitive information and the rights of citizens. Authorities are expected to conduct a thorough investigation into the incident and take appropriate measures to mitigate the potential impact on affected individuals.