Irish Police Vehicle Seizure Records Leaked in Contractor Data Breach

Under Irish law, a detained vehicle’s registered owner must provide multiple documents, including identification and insurance paperwork.

Irish Police Vehicle Seizure Records Leaked in Contractor Data Breach

Cybersecurity researcher Jeremiah Fowler has made the discovery of a non-password protected database with over 500,000 entries, including private data related to the Irish National Police Database of automobile seizures. Additionally, private towing and storage providers were implicated in the data leak.

The exposed database of automobile seizures contained documents from various private towing and storage companies acting as contractors for Garda Síochána, the Irish national police service. These records encompassed notices of automobile seizure, destruction notices, release documents, scanned identification papers, insurance investigation inquiries, certificates of vehicle registration, and other pertinent documents related to vehicle detention.

Additionally, the database held spreadsheets and monthly reports containing vehicle and registration information, owner names, contractor details, and potentially sensitive data. The database’s total size was 271.8 GB, comprising 521,043 documents.

Under Irish law, a detained vehicle’s registered owner must provide multiple documents, including identification and insurance paperwork. Based on the database, an estimated 2 to 5 documents relate to each case.

This suggests that approximately 150,000 vehicle owners could be affected by this breach. Though official data on yearly vehicle seizures is unavailable, an article from the Irish Examiner in 2020 reported around 2,500 vehicles detained monthly, totaling 30,000 per year. Given that the records span several years, this aligns with the potential number of affected individuals.

Initially, ownership of the database was unclear due to the numerous towing and storage companies listed. However, it was later determined that a private technology contractor based in Limerick, Ireland managed the database, not Garda Síochána. The contractor promptly secured the database after notification.

In Ireland, the Garda Síochána can seize and retain vehicles for reasons such as road safety, law enforcement, and compliance with traffic regulations. Private towing companies authorized by Garda handle the tasks of seizing, towing, and storing these vehicles. A 2022 list published by Garda Síochána included 36 private towing companies. Vehicle owners are required to pay a €125 fine plus €35 for every 24 hours the vehicle is kept in storage.

According to a 2020 report by the Irish Examiner, Garda Síochána incurred significant losses each year due to vehicle owners failing to recover their seized vehicles. In 2018 alone, Garda spent approximately €10.4 million on towing and storage, while only recovering just over €2 million in payments from car owners. This trend suggests increasing losses year by year.

The exposed records also included waivers of ownership documents, where citizens relinquished their property to the police when unable to pay fines and storage fees. Additionally, the database contained numerous Freedom of Information Act request documents that disclosed other expenses or budget details.

In the event of a data breach, it is crucial to follow GDPR regulations, which apply in Ireland. Affected individuals should monitor their financial statements for suspicious activity and consider subscribing to a credit monitoring service to detect signs of identity theft. Organizations must promptly notify relevant authorities and affected individuals, as mandated by GDPR.

As an ethical cybersecurity researcher, Fowler emphasizes the importance of responsible disclosure. He never downloads or extracts information from exposed databases, instead accessing them only for verification.

Fowler deletes any redacted screenshots taken for validation purposes after reporting the discovery. His role is to provide accurate and timely information to the public, maintaining a neutral stance and reporting facts and potential risks.

The reporting of this data incident does not imply wrongdoing on the part of the private contractors. Data breaches can occur to even the most diligent organizations. Law enforcement records are particularly sought after by malicious hackers for potential financial and phishing scams.

While the full scope and origins of the exposure remain unknown, the intent of the report is to raise awareness and facilitate constructive dialogue to mitigate the breach’s potential impact and contribute to a safer cyberspace.