Database could be viewed online or saved as a spreadsheet

Feb 25, 2015 00:05 GMT  ·  By

A service that offers parking charge notice (PCN) payment and management has inadvertently leaked a link to a database containing details of about 10,000 motorists in the UK.

PaymyPCN is an online service that offers drivers the possibility to appeal or pay their parking fines to Driver and Vehicle Licensing Agency (DVLA) through their website. The site is connected to the DVLA database, so the payment information enters the system in the shortest time possible.

Customer details can be sold to third parties

According to the Privacy Policy document, the details of the transactions are encrypted, and data from the users is stored on secure servers. However, all this seems to be absolutely useless if the link to the customer database falls into the wrong hands and the data it includes can be viewed without any hindrance.

Important to note is that the document reveals that customers’ personal information may be disclosed not only to other members of the same group but also to third parties, which receive the data in exchange for monetary advantages.

Sky News found that a driver received the URL to the database in error from a parking firm and it later reached the public domain via Twitter after having been relayed to lawyer and consumer activist Michael Green; the tweet has since been deleted.

Viewing the information was not restricted

The publication says that the database was searchable and included a total of 9,721 entries that could be viewed online or downloaded to a spreadsheet file. Sky News says that the information disclosed this way included the names and addresses of the drivers, as made available in the DVLA records.

Apart from this, it appears that messages containing details for appealing the penalty charges or the photographs taken by the authorities could also be accessed, along with the date and location of the contravention.

It is unclear why the link to the database did not benefit from some sort of protection against access from an unauthorized party. Given the sensitive nature of the information it pointed to, there would be no reason for PaymyPCN to ensure its validity outside a controlled network.