Lessons learned from the ANPR data leak that shook Britain

The recent ANPR data leak raised questions regarding privacy versus data security with public surveillance systems. How do private and public organizations maintain transparency while protecting personal data?

CCTV security cameras gather data during traffic surveillance.
Wattanaphob / Getty Images

On April 28, 2020, The Register reported the massive Automatic Number-Plate Recognition (ANPR) system used by the Sheffield government authorities was leaking some 8.6 million driver records. An online ANPR dashboard responsible for managing the cameras, tracking license plate numbers and viewing vehicle images was left exposed on the internet, without any password or security in place. This meant anybody on the internet could have accessed the dashboard via their web browser and peeked into a vehicle’s journey or possibly corrupted records and overridden camera system settings.

ANPR is a complex system of interconnected roadway cameras that automatically capture vehicles’ license plates and run the numbers through government databases for potential matches. This is useful for the police in enforcing speeding penalties and identifying known adversaries in deterring crime and terrorism.

The ANPR system also generates significant revenue for the government. “ANPR is a valuable system – generating fines of upwards of £200 million and being structurally significantly more efficient than having roaming speeding police,” says Andy Barratt, managing principal of Coalfire. “The system is either loved or loathed depending on the horsepower you have at your disposal.”

The Council and South Yorkshire Police have suggested there were no victims of the data leak, but experts aren’t so sure. “First, I don't know that we can be confident in their ability to identify whether anyone has improperly accessed or exfiltrated this data, particularly given the egregious situation which resulted in this data breach,” says Dave Stapleton, CISO of CyberGRX. “Second, if the data was exfiltrated and intended to be sold on the dark web or used for social engineering purposes, we may not know whether anyone has or will suffer harm for some time.”

“As forensic investigators, we have often come across data breaches where the reason there were no signs is because there [were] no systems monitoring for signs,” says Barratt. “No evidence of compromise is not the same as evidence of no compromise.”

To continue reading this article register now

The 10 most powerful cybersecurity companies