Late last week, the Camden New Journal local newspaper reported that it had been able to download ‘uncensored licensing applications’ from the council website, containing “home addresses, dates and places of birth, emails, telephone and National Insurance numbers”.
"Experts", writes the author Tom Foot, "said the details in the applications were more than enough to open bank accounts, to apply for credit cards, loans and passports, and – a particular bugbear of the Town Hall – to commit benefit fraud."
“Although we don’t have the full facts quite yet,” comments Grant Taylor, VP of the IT threat mitigation specialist Cryptzone, “all compliance requirements insist that personal details, especially financial information, should never be exposed or at risk to this sort of breach. Camden like other local authorities needs to ensure that its electronic systems, including online applications, are closely monitored and that employees diligently follow security policies and procedures”.
Once again this appears to be a failure of procedure rather than an act of malevolence, and demonstrates what security experts have been saying: local authority procedures need to be tightened across the board. “The council will have information security policies and procedures in place that are designed to stop this sort of thing happening,” continued Taylor. “The problem is they are often badly communicated, so people are either unaware of them or don't understand the potential impact of their actions.”
Meanwhile, a similar incident has occurred in Australia: thousands of Telstra customers’ account details have been left exposed on the company website. Visitors to the website are “presented with detailed information outlining the customer's account number, what broadband plan they're on, what other Telstra services they're signed up to and notes associated with the customers' accounts including in many cases their usernames and passwords,” reports The Age newspaper. Telstra has apologized to customers, closed the website, and will brief the Australian Privacy Commissioner.