Irish National Police Records of Seized Vehicles Exposed in 3rd Party Contractor Data Breach

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained over 500k records containing identification documents and other potentially sensitive information. The documents appear to be associated with the Irish National Police Database of automobile seizures and the private towing and storage contractors.

The database contained records from numerous private towing and storage companies acting as private contractors on behalf of Garda Síochána also known as the Irish national police service. The records included notices of automobile seizure as well as destruction notices, release documents, scanned identification documents, insurance investigation inquiries, certificates of vehicle registration, and other documentation relevant to the detention of a vehicle. Additionally, there were spreadsheets and monthly reports that included vehicle and registration information, names of vehicle owners, contractor information, and other potentially sensitive data. The total number of documents was 521,043 with a total size of 271.8 GB.

Under Irish law, when a vehicle is detained, the registered owner must present several documents, including identification, insurance documentation, receipts for taxes and the payment for recovery/storage charges. Based on what I saw in the database, it is estimated that there are approximately 2 to 5 documents related to each individual case. Considering the half a million records contained in the database, this means that an average of 150,000 vehicle owners could be potentially affected by the breach. I couldn’t find any publicly available official information regarding the total number of vehicles seized per year, but an article from the Irish Examiner from 2020 claimed that approximately 2,500 vehicles are detained each month, equating to 30,000 per year. Considering the records I saw spanned multiple years, going as far back as 2017, these numbers are consistent with our previous estimation of the number of people potentially affected by the breach.

Initially, I couldn’t determine exactly who owned the database because of the number of towing and storage companies listed in the documents. The only common denominator in all of the documents was the Garda Síochána, so I promptly sent a responsible disclosure notice directly to them hoping they would take action to secure the exposure. The database was restricted later that day, and although the records all mentioned the Garda it appears they did not own or manage the database and it belonged to a private technology contractor based in Limerick, Ireland. The technology contractor acted quickly and professionally; they reached out to me to confirm that the records were secure and to ensure that there was no malicious intent in my discovery and disclosure. During the call, we went over the timeline of my discovery to assist in their forensic audit and assess who else may have accessed the exposed records. It appears that the Garda Síochána outsources the technology management, towing, and storage to private contractors. Although the records indicate they are officially related to Garda’s seizure and storage of vehicles it is important to note that the Garda Síochána was not directly responsible for the misconfigured cloud storage repository that resulted in the data breach.

In Ireland, Section 41 (S41) of the Road Traffic Act 1994 stipulates that the Garda Síochána has the authority to seize and retain a vehicle for certain reasons, such as ensuring road safety, law enforcement, and compliance with road traffic regulations. The tasks of seizing, towing, and storing these vehicles are carried out by private towing companies who are authorized by the Garda. In 2022, the Garda published a document online that lists 36 private towing companies. Owners of the vehicles are required to pay a €125 fine plus €35 for every 24 hours the car was kept in storage.

According to a report in the Irish Examiner in 2020, an internal audit found that Garda Síochána loses a massive amount of money each year due to automobile owners not paying to recover their seized vehicles. In 2018 alone, the Garda Síochána spent an estimated €10.4m on towing and storage of seized vehicles while payments recovered from the car owners was just over €2m. The report estimated losses at €20 million between 2016 and 2018, with the trend suggesting that losses will continue to increase each year. I saw numerous waivers of ownership documents where citizens give up their property to the police when they can’t pay the fines and storage fees or they no longer want their vehicle. The database also contained numerous Freedom of Information Act request documents that identified other expenses or budget details.

Some Key Points Regarding Vehicle Detention in Ireland

Vehicles can be detained under S41 of the Irish Road Traffic Act 1994 for various reasons; for instance, if:

• the driver is suspected of committing a serious road traffic offense
• the vehicle is not insured or lacks proper documentation
• the vehicle is used for criminal activity
• the vehicle is used in a way that poses a danger to the public
• the vehicle has defects that make it unsafe to drive on the road.

The Garda can dispose of a vehicle that has been detained, removed, or held in storage if it has not been claimed within 21 days or if the fines and fees have not been paid. If the vehicle owner disagrees with the detention, seizure, or disposal of their vehicle, they have the right to appeal the decision.

What To Do If You Are Affected by a Breach? Here Are Some General Suggestions

GDPR (General Data Protection Regulation) regulations apply in Ireland, and organizations are required to take data incidents seriously and notify both the relevant authorities and affected individuals promptly. GDPR grants individuals the right to have their personal data protected and to be informed about data breaches that may affect them. If you ever receive such notice or have reason to believe your data may have been exposed online, it’s important to identify and mitigate potential risks.

Depending on the type of data that was exposed, there are different things that you can do. In cases where financial data may have been exposed, you should monitor your bank and credit card statements for any unauthorized or suspicious transactions. If you notice anything out of the ordinary, you should act fast to report it to your bank or freeze the account. Another serious potential risk is criminals using identification documents exposed online for identity theft. This includes criminals impersonating you, obtaining financial services in your name, and even using the documents as a template to create fake IDs. Monitoring your credit reports or subscribing to a credit monitoring service can help to detect any signs of identity theft and limit the damages or fraudulent accounts.

Final Thoughts

As an ethical cyber security researcher, I never download or extract the information that I find. I access exposed databases only to the extent necessary to confirm their nature and the potential risks involved. I never manipulate, change, or interfere with the data. I do, however, take a limited number of redacted screenshots for verification purposes to validate my findings, which I delete after reporting the discovery. I publish my findings in cases where a large number of private citizens’ data was exposed or when it serves the public good to be aware of a potential exposure. Our role is to provide accurate and timely information to the public. In doing so, we aim to maintain a neutral stance, reporting only the facts of the discovery as well as the potential risks associated with any data exposure.

It is essential to clarify that our reporting of this data incident should not be construed as an accusation of wrongdoing on the part of the private contractors. Data breaches can happen to even the most diligent organizations, as the landscape of cyber threats is ever-evolving and complex. Furthermore, law enforcement documents or records are especially coveted by malicious hackers, as they contain plenty of PII that could be used for financial and phishing scams.

Our findings and report are based on the data available at the time of discovery. We do not claim to have comprehensive knowledge of the full scope, implications, or origins of the exposure. It is unknown exactly how long the database and the documents were publicly exposed before I sent the responsible disclosure notice and the database was restricted from public access. Nor do we know if anyone else gained access to the database and records However, we do not imply that the records or personal information of individuals who had their automobiles seized, members of the Garda, or private contractors was ever at risk or accessed by anyone else. The intent behind our report is not to assign blame, but to inform our readers and the general public about the data exposure incident. Our goal is to promote cyber security awareness and constructive dialogue to mitigate the potential impact of the breach and contribute to a safer cyberspace.