What is one headline writer’s “major IT breach” may be a blogger’s “data leak.”
Adrian Weckler reports:
The driving licences of thousands of motorists who had vehicles towed on behalf of the gardaí were left at the mercy of hackers in a major data breach, the Irish Independent can reveal.
More than half a million documents exposed include details of insurance investigations, vehicle registration certs, notices of car seizures and payment card details.
The breach was caused by a software error at a Limerick-based IT services firm, which is retained by tow-truck companies working for An Garda Síochána.
While the headline and article talk about “exposed to hackers” or “left to the mercy of hackers,” there was nothing presented in the reporting to indicate that the data were ever accessed by hackers. This was not a confirmed hack — it was an unintended exposure that was discovered by a whitehat researcher, Jeremiah Fowler, who engaged in responsible disclosure.
Could the data have been accessed by ne’er-do-wells? Yes, but was it?
In the meantime, the Data Protection Commissioner is trying to figure out who was actually responsible for the security of the data as the data controller:
A spokesperson for the DPC said that although it has received a breach notice from the IT services company, it was not as data controller, meaning that the IT services firm was not ultimately responsible for safeguarding the information.
It is understood that the DPC is now seeking to establish who, ultimately, is responsible as data controller of the exposed data.
Read more at Independent.ie.