[BreachExchange] Just Park: Belfast company flags data breach hitting thousands

Destry Winant destry at riskbasedsecurity.com
Mon Feb 10 10:08:09 EST 2020


https://www.bbc.com/news/uk-northern-ireland-51420790

The details of more than 4,500 people were published on the website of
a new parking app.

The discovery on the corporate section of the JustPark system was made
by a Belfast business owner.

Names, email addresses, mobile numbers, car makes and registrations
from across the UK were all made available.

JustPark, which took over the running of the Department for
Infrastructure's parking app last month, has since amended the glitch.

The information was on the section of the website where the business
which made the discovery registered and paid for parking.

The amount businesses were paying and their parking history was also
available to see.

In a statement, JustPark's founder and chief executive Anthony
Eskinazi admitted that there was "an isolated incident which shouldn't
have happened".

Mr Eskinazi said that he unreservedly apologises for the incident, but
denied that there was "a major data breach".

He added that JustPark informed the Information Commissioner's office
of the breach, but since only one of its clients was able to access
the information that it was unnecessary to file a formal report.

'Our details are out there now'

The issues was raised by Barry Hamilton, the owner of cleaning service
Until It's Done.

He told BBC News NI he "couldn't believe how easy it was" to access
the information.

"We were also seeing some of the companies weren't here in Northern
Ireland, so it's not just a Northern Ireland issue, this is
potentially something for the whole of the UK," he said.

Image captionThe error was discovered by business owner Barry Hamilton

"Obviously our details are out there now."

As of Friday evening, the Information Commissioner's Office said it
had not received a report of a data breach from JustPark.

Organisations are required to notify the commissioner within 72 hours
of becoming aware of a personal data breach, unless it does not pose a
risk to people's rights and freedoms.

If an organisation decides a breach does not need to be reported it is
advised to keep a record of it and be able to explain why reporting
was not necessary.

'Teething problems'

It replaced previous operator ParkMobile, and last week the company
said it had experienced "teething problems".

Several users told BBC News NI they received error messages, incorrect
bills and penalty charge notices (PCN).


More information about the BreachExchange mailing list