Data leak at third party provider for National police service of Ireland exposes driver details

A large number of drivers found their sensitive information exposed to hackers due to a software error at an IT services firm based in Limerick, Ireland. This IT services firm was retained by towing companies that operate on behalf of An Garda Síochána, the national police service of Ireland.

The breach came to light when a cybersecurity researcher, notified the Gardaí about an unprotected online database. This database contained spreadsheets, vehicle registration data, driving licenses, and various other sensitive information.

The breach involved the exposure of over half a million documents, which included details related to insurance investigations, vehicle registration certificates, notices of car seizures, and even payment card information. This breach was not attributed to An Garda Síochána but rather to the software error within the IT services firm's infrastructure.

The exact duration of the security vulnerability remained unclear, as did the number of unauthorized individuals who may have accessed the exposed citizen data. The data breach involved approximately 512,000 documents that dated back to 2017 including:

• receipts that included full debit card details,
• drivers' licenses and incident summary reports.
• documents  labeled as "confidential," containing incident  reports that included names and details of drivers, witnesses, and multiple Garda officers. Many reports included fees, registration numbers, and personal names.
• High-resolution scans of sensitive personal documents

A spokesperson for the Gardaí stated that they launched a data investigation immediately upon receiving the notification. The spokesperson also highlighted that the towing companies had clear obligations, under their contract with An Garda Síochána, to protect any information supplied to them, including personal data. This obligation extended to situations where these towing companies provided data to third parties for storage purposes.

The IT services company, responsible for the security lapse, mentioned that the issue arose when they applied a new software release for the data service provided to these towing companies. They considered it an "error" and emphasized that they were an outsourced service provider and not directly contracted by An Garda Síochána. The majority of the exposed data was not related to An Garda Síochána.

The IT services company claimed that it secured the database within 70 minutes of being notified about the vulnerability and conducted a forensic audit. They also indicated that they followed data privacy and legal protocols by contacting relevant authorities, including the Data Protection Commissioner (DPC).