INFORMATION belonging to thousands of drivers may be at risk following a data breach of a Limerick-based IT company.
The company, who handle data for 11 tow truck companies who work on behalf of An Garda Síochána, saw over 500,000 potentially confidential documents made available to the public after an “error” when applying for a new release of software.
Documents released contain the driver’s licences, insurance details, vehicle registration certs, and payment details of drivers who have had their vehicles seized by An Garda Síochána.
The leak was first revealed by the Irish Independent, who said that Gardaí were first notified of the breach in August.
In a statement to the Limerick Post, Gardaí confirmed that they were made aware of the breach in August and said that while this breach did not relate to the force itself, Garda investigations into the data leak assessed the risk to the public as “limited”.
“A data investigation (not a criminal investigation) by An Garda Síochána has determined that the associated risks from the breach to data subjects in An Garda Síochána was limited,” a spokesperson said.
“When Garda enforcement activity requires the towing of a vehicle, the relevant Garda signs a form (known as the Garda Vehicle Release form) that is provided to the towing company for their records so they can release the relevant vehicle to the right individual following their payment of the appropriate fine.”
It was forms such as these, as well as high quality scans of driving licences and incident report forms, among other forms of potentially identifying information, that made it into the public domain after third-party found a vulnerability in a file repository used by the IT company to store files relating to the towing of vehicles.
An Garda Síochána also notified the Department of Justice about the breach in September.
Once notified by the Gardaí of the leak, the IT company made the files secure and ensured they were no longer accessible by the public.
“Under An Garda Síochána’s contract with individual towing companies, there are clear obligations on individual towing companies to protect any information supplied to them by An Garda Síochána including personal data,” the spokesperson said.
“This obligation also extends to situations where individual towing companies provide this information to a third-party for storage purposes.”
It is understood that the Data Protection Commission are also investigating who is responsible as data controller of the exposed data.
The Data Protection Commission were contacted by the Limerick Post but no response was received at the time of going to print.
