Islington Council has been fined £70,000 after accidentally publishing personal data including medical details, cheques and a person’s prison record.
Almost 90,000 of user’s unencrypted data, across 119 documents, were accessed from over 30 IP addresses by manipulating the URL where data attachments were stored.
The data breach was blamed on a ‘design fault’ of the TicketViewer app, introduced by Islington council in 2012.
Developed by the council’s internal application team for authority parking services, TicketViewer allowed residents issued with a parking ticket in the North London borough the power to appeal their parking fine.
Users could log on using their car registration and see CCTV images or videos of their alleged offence then appeal the ticket if it was not them. In order to do so, users were required to send supporting evidence which could include details of health, disabilities or finances. Supporting evidence was sent to the council via email or post.
After receiving the documents, the Back Office would scan and upload the information to the system as a ticket attachment folder with the users parking fine.
On October 25th 2015, the attachment folders of 71 users were accessed at least 235 times from 36 different IP addresses. Between TicketViewer’s launch in 2012 and the issue being reported by a resident in 2015 825,000 parking tickets had been issued and 270,000 appeals received – mounting to a lot of data accessible to the public.
Although no harm came to anyone whose data had been leaked, the information commissioner’s office (ICO) said the council failed to take proper measures to stop unauthorised access to personal data and the system should have been tested by the council prior to going live and on a regular basis following its launch.
Sally Anne Pool, ICO Enforcement Manager, said: “Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.
“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that.”