Recently, Tesco revealed that its parking web app exposed millions of Automatic Number Plate Recognition images. Read on to know more about it…
Recently, British supermarket chain Tesco closed down its parking validation web app after The Register discovered a major data breach. Tesco revealed that its parking web app exposed millions of Automatic Number Plate Recognition (ANPR) images. Tesco stated that its parking web app and the unprotected Microsoft Azure Blurb managed by a third-party vendor named ‘Ranger Services’.
The images themselves consisted of photos of cars taken as they entered and left 19 of the company’s car parks spread across the country. While the drivers of these vehicles were not visible in the photos, their license plate numbers were. The Azure blob which powered Tesco’s outsourced parking validation web app had no login or authentication controls and was completely accessible. The company admitted to The Register that these timestamped images were left exposed during a data migration exercise.
Tesco customers use the supermarket’s parking web app to validate their parking with a code printed on their receipts along with their vehicle’s registration number, thus avoiding parking charges. The Blob included the images of cars that entered and left 19 Tesco car parks spread across Britain. Live ANPR images were saved to the blob as timestamped jpegs. Drivers’ photos were also stored in the blob, however, those photos were not visible as they were saved as low-resolution images.
The impacted 19 Tesco car parks include Braintree, Chelmsford, Chester, Epping, Fareham, Faversham, Gateshead, Hailsham, Hereford, Hove, Hull, Kidderminster, Woolwich, Rotherham, Sale (Cheshire), Slough, Stevenage, Truro, Walsall and Weston-super-Mare.
Ranger Services, which operated the Azure blob for Tesco’s web app, is still investigating the extend of the breach. The firm is now called GroupNexus after its recent merger with rival parking operator CP Plus.
Other Data Breaches
While investigating the Tesco breach, The Register also found another unsecured AWS bucket. The unprotected storage bucket that exposed tens of thousands of images belongs to National Car Parks (NCP). The exposed images appear to be a subset from a live dataset for demonstration purposes. The car park operator’s online dashboard was also found publicly accessible. The unprotected dashboard allowed anyone to access information inferred from ANPR cameras at an unidentified location. The dashboard contained information such as how many times a particular number plate had infringed the car park rules, how many times it has been flagged in particular car parks, and how many penalty charge notices had been issued to it in the past.
Upon discovery, The Register notified NCP about the data leak. The dashboard has since been taken down.
A spokesperson from Tesco explained what happened to The Register, saying “A technical issue with a parking app meant that for a short period historic images and times of cars entering and exiting our car parks were accessible. Whilst no images of people, nor any sensitive data were available, any security breach is unacceptable and we have now disabled the app as we work with our service provider to ensure it doesn’t happen again.”