Thousands of UK drivers' details leaked through hole in parking ticket website Thousands of UK drivers have been caught up in a data breach at a UK parking firm. A database of parking ticket details held by PaymyPCN.net covering almost 10,000 motorists was mistakenly published online. A security flaw on the private parking firm's website allowed public access to names, addresses, photographs and emails …
However you then get a speeding ticket. The ticket is sent to your invalid address. You don't respond so the police decide to prosecute, which you don't respond to so an arrest warrant is issued.
The police trace you down with your council tax or other details and now you are in court for a number of charges including supplying false information to the DVLA.
Rather than a visit to a local hotel for a speed awareness course, you are now looking at a big fine and points (and possibly, albeit unlikely, jail)
Great plan!
If you have access to a valid alternative address for mail through which you can receive all items and meet other nebulous rules then you are (a) lucky and (b) probably on sound legal ground. Not all of us have such an easy route. One point that others might need to watch is the tie between car insurance, location and such as the farce of money laundering laws, plus the 'accidental risk' the insurance industry might wish to accuse you of a fraud.
Note not knowing your situation I did caution 'others'.
There ARE no 'nebulous rules'. The DVLA have two simple rules:
1. It must be a UK address
2. They must be able to write to you there.
It can be a friends house, a holiday home, a PO box, a business accommodation address, anything - so long as they can write to you there.
I *know*. I *checked*.
Insurance are only concerned about where the car is parked most often, to determine risk.
This post has been deleted by its author
This isn't about driving licenses. They don't - yet - have ANPR readers for driving licenses!
This is about *cars*.
You don't even have to have a driving license to be the registered keeper of a car. You don't have to be a UK citizen or resident. You don't need a national insurance number, or a driver number. You ONLY need to give your name, and an address where you can be contacted.
@corestore
I did not refer to the DVLA, as having nebulous rules, mind you neither they nor the police always limit themselves to strict understanding of the rules and laws. Just look at cars that have been wrongly taken as stolen when they were the result of someone else's fraud, check it out.
However, when you mix in the insurance industry and HMRC you will begin to find out where the nebulous rules bit applies. 'An address without an income yet with expenses, lets go for them they might be on the black market, etc'. Yes the insurance industry needs to know where the car is parked, but the credit checking industry loves inconsistent data, as for the banks, just do not go there. They will not even follow the rules, and sometimes want to ignore the law and court orders, FACT. To protect the innocent, (though now dead) I could, but will not give details beyond saying that the bank in question is very well known, fortunately it caused me negligible difficulty.
All I am saying is make sure you have all your ducks in a line if you are going to go along with non regular situations.
Take it from me or learn it yourself there is nothing so stupid as a bureaucracy that goes on the rampage, - money laundering rules are a case in point. Fraudsters appear to have no trouble getting accounts, but Joe Public can have a very hard time.
And if its a parking ticket that goes to the "wrong address" you start to rack up penalty charges, fees from recovery companies and one day you'll drive past a police ANPR point and you'll be flagged down and someone from a debt recovery firm will ask for several £100 if not £1000 pounds on the spot or they'll take the car and you'll be walking home!
You're all making a VAST and incorrect assumption about the so-called "wrong address".
Why are you assuming I won't receive and deal with mail addressed there??
The ONLY reason to do this is to ensure that anyone discovering said address through the DVLA will learn nothing about ME, other than the fact that I can receive mail sent there.
"And if its a parking ticket that goes to the "wrong address" you start to rack up penalty charges, fees from recovery companies and one day you'll drive past a police ANPR point and you'll be flagged down and someone from a debt recovery firm will ask for several £100 if not £1000 pounds on the spot or they'll take the car and you'll be walking home!"
Well, probably not. They can ask for all the bonus charges and penalties they want -- but you can't be flagged down for a private debt, which is what this is.
We have a similar issue popping up here in the US -- some cities have these speed cameras that they operate themselves. If you get popped you get mailed a photo ticket, and are probably obligated to pay it. OTHER cities (like Cedar Rapids, Iowa - who is greasy enough to have been told their camera installations are ILLEGAL under state law because of the positioning of the cameras and "there's cameras ahead" signs and basically said "Fuck you, we're running them this way anyway and not cancelling any tickets") have Gatso own and operating the cameras. Well, guess what? Gatso is a private company, not a city, county, state, or federal agency. They could mail me a ticket, but I'm not obligated to pay anything because it's not a city, county, or state agency of any type, and I haven't requested any goods or services from them. They can demand payment all they want but there's still no obligations. If they try to put it on my credit report, I can tell the credit agency I didn't order any goods or services from Gatso and the agency is legally obligated (by the Fair Credit Reporting Act) to remove any adverse notes.
That said -- don't be a jerk about it please! I'm not speeding like a crazy person just because the speed cameras are invalid, and I wouldn't intentionally park without feeding the meter or paying the lot fee or whatever just because private property parking (not)-fines are not enforceable.
Unfortunately the 'screw you jack system' is set to do just that to you all ways round. Even if you were to use some recoding of your details while maintaining a correct address you can attract a large fine for incorrect details, making it almost 'essential' for you to expose yourself for cack handed fools like the present bunch of stupid loons to fit you up for data theft.
What is needed is real teeth in the laws that mean you can sue any bunch of stupid operatives for all costs including rest and recovery from the stress of their mistake - Lazy, deliberate or accidental. Hopefully they will be put out of business.
I once delayed telling DVLA address after I moved ... think at that time you had to post existing driving license to them an wait for new one and as I had some upcoming business trips that would involve a hire car I needed an actual license (even with wrong address). During this time my wallet was stolen but was recover minus most of its contents though driving licence was still in. Police asked me to make a statement as my bank card had been used by someone who'd they were "interested in" and officer interviewing me looked through my wallet and found license and check if that was my address and I had to admit I'd moved a few months earlier but not changed it yet. His reply was that I was required to inform DVLA of new address with something like a month and technically he ought to issue me with a caution but under the circumstances he just told me to update it pronto!
Which is enough of a loophole to give an insurance company a get out if you cause an expensive claim. Trust me, when they want a way out you need to make sure you don't give them an easy option to void your claim.(remember the question about car registered to your home address. And they will check that is where the car is parked most of the time... With the neighbours!). They aren't stupid these days. Gone are the days of using the parents address.
I hate it when some people who think for some reason they are exempt from the rules of the land. It's the law. If you don't stick to it yourself how can you take the moral high ground when somebody else doesn't??
Don't get me wrong, i understand it's because of leaks like this that people think this is the logical thing to do. But really we should be outraged and be expecting this to be dealt with with suitable repercussions that people are shit scared of ever leaking stuff on a badly protected website. If they were fined £1000 per record which was payable to the affected person this would be a nice incentive as a) you'd be real careful and b) the affected party would know what had leaked and the risks to them. Rather than not where nobody knows if their record has been leaked.
And this was the reason I opted me and my while family out of the sharing your medical records debacle. That's one database you don't want leaking yet is hugely valuable to legitimate and illegitimate people alike.
This company should be fined at a hugely disproportionate amount to encourage them to be more careful in future.
Oh the insurance company are well aware. I give my address, but declare that the car is mostly stored at a different address, for which I supply the postcode, and they're happy with that.
Is it somehow illegal to own or rent multiple properties? There's no obligation to give the DVLA your main residence address, or the address where the vehicle is kept. All they need is a UK address at which you may be contacted. I know; I asked them.
"This company should be fined at a hugely disproportionate amount"
NO.
The *individuals* in charge of the company should individually be fined a hugely disproportionate amount. Companies don't make decisions, individuals do.
Fining a company is daft, it's a routine cost which is generally just passed on to the customers, workforce, etc, directly or indirectly. E.g. if the fine is big enough the company goes bust, the workforce lose their jobs, suppliers may lose the value of their invoices, etc. Meanwhile the directors responsible barely blink.
If the directors don't want to be held responsible when things go wrong, that's OK. But then they also can't be responsible when things go right and therefore they aren't due loadsamoney for doing their routine job.
"If the bosses are fined, then they'll charge it to their company as a business expense."
They might try it, but there are relatively recent precedents which have ruled that such behaviour would itself be illegal, at least in some jurisdictions.
[[I have removed the rest of the original version of this post, which consisted of verifiable factual references to one of several widely reported court cases, to illustrate the point that directors can't legally do just anything they fancy with their company's money, and that attempting to do so has resulted in both court cases and convictions. Perhaps such references aren't acceptable to The Hand That Bites IT. One wonders what other stuff is being rejected these days.]]
But this article is just awful. The quote from Sol Cates clearly demonstrates that he has no idea whatsoever what he's talking about. I doubt there was any "backdoor link" that left the "computer database wide open" (what does this even mean?).
I suspect that the only encryption in place was between client and server via https. The "backdoor link" was most likely an unencrypted database, open to anyone either via a web application vulnerability or via direct access to the database server.
You will also notice that even now, the site does not enforce https. If you go to paymypcn.net you end up on a standard http connection (even though they still display the Verisign Secured logo at the foot of the page). You have to explicitly go to https://paymypcn.net to get an encrypted link.
To try and blame the DVLA for this is disingenuous of PaymyPCN.net. This is just a shite web application full of all the usual holes, and John Leyden should have spotted that whilst blindfolded and with his hands tied behind his back.
Ah, the same "dedicated to safeguarding <Relevant_Group's> privacy" line, or very similar, that is trotted out whenever a company is found wanting, attempting to douse the flames that have been started by doing the least they could get away with or were prepared to fund. There's another examllle a bit further down the ElReg news feed.
This company is legitimising the dubious practise employed by various of their clients of charging 'fines' that some judges have stated are not lawful. Stand back and let them burn.
One thing these scumbags definitely don't issue is "fines", in quotation marks or otherwise. Only the police or government can fine you for parking. It's a Penalty Charge Notice from the council, I think the police one is called something different. These guys aren't allowed to use the word penalty, as that would be fraudently pretending to be a fine. But Parking also begins with P, and any invoice can be a charge notice, hence parking charge notice (PCN) being so suspiciously similar. Often they even go to the trouble of making the tops of their letters stripey to look more official.
They are invoices. They are invoicing you for parking. There are various legalities that make a lot of them challengable, but in most cases they're only allowed to charge you a reasonable amount. So if it would have cost £2 an hour to park, and you over-stay by an hour, then they can invoice you for £2 + a reasonable admin fee. Not £120. So it's basically a highly speculative invoice.
They even then follow them up with fake debt collection letters. Given that they often have a trading name that's a 4-surnames-in-a-legal-sounding-row type. So they'll chase you up on behalf of, when it's actually the same company, or at least the same people running it.
There's a whole bunch of info on how to avoid paying these wankers on the excellent Money Saving Expert site: linky.
The DVLA should at least use this opportunity to say no more data for you wankers, as you lost the last lot, and put them out of business. Then legislation should sort them all out.
On the other hand, people also need to stop taking the piss and parking on private land. I used to work for a shop that had a small carpark, which was free for customers. And some people would try to park in there and go to work. Which isn't acceptable behaviour either.
Actually, why not just go back to the old way of doing things where they had to pay on a case by case basis for the DVLA to provide them with the details for "legitimate" usage? That way, only the DVLA is to blame if a whole database gets swiped. Why should the DVLA be able to sell our data without our permission (although there's probably a big section in the small print of any vehicle registration and licence renewal that says they can - so there, tough titty), unless it's to law enforcement, for law enforcement purposes.
Had one of these PCNs 1 year ago. They wanted £100 for overstaying by 20 minutes or £65 if I paid within 14 days. Guess what, if you challenge it and ask them to go to the POPLA (Parking on Private Land) adjudicator it cost them £35 - hence the difference in paying early.
I won and I didn't pay. I argued it is not reasonable or fair under English Contract Law and they cannot demonstrate the loss incurred was anything like £100.
I was actually hoping to go to court but didn't get the chance and probably wouldn't because they know they cannot win and don't want their contract with the Landowner under scrutiny. They rely on people being ignorant of the law and if only 2/5 pay up they are quids in.
Lots of material on the interwebs but my advice is don't pay and argue Contract law etc. There is the option of ignoring their letters but I don't want debt collectors turning up at my door.
Why would Debt Collectors turn up at your door? Yes, *if* it went to court and you *lost* and you *then* didn't pay, eventually, Debt Collectors would turn up.
They don't turn up for an unenforcable contract which has been alledged and not proven in a civil court. (ignoring the non-civil stuff).
My advice (based on expereince), is to ignore the trolls compeltely, rather than appeal to their "appeals" service.
Well you have to ask why this data was being held in the first place. If the fines had already been paid then "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes". But like most things in life nobody will be held accountable and despite some promises to tighten up security very little will happen because security costs and these companies are only interested in making money not protecting your data.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
