Jeremiah Fowler claims the exposed records included identification documents and debit card details, which could be used for financial and phishing scams.
More than 520,000 records relating to car seizures conducted by An Garda Síochána were exposed in a recent data breach, according to a cybersecurity researcher.
Jeremiah Fowler of vpnMentor shared details of a database he discovered that contained records from “numerous private towing and storage companies”, which appeared to be working as private contractors for Ireland’s police service.
Fowler said the records go back as far as 2017 and included “potentially sensitive data” such as vehicle owner names, contractor data and vehicle registration certificates. He also claimed the database contained notices of car seizures, destruction notices, release documents, insurance investigation inquiries and “other documentation relevant to the detention of a vehicle”.
Fowler added that some of the exposed records appeared to contain full debit card details, which could be used by scammers to create “unauthorised fraudulent charges”.
The researcher estimates that there are roughly two to five documents related to each individual case, which means “an average of 150,000 vehicle owners” could be potentially affected by the breach.
Fowler said the database belonged to a private contractor based in Limerick and that the records were restricted on the day when he informed An Garda Síochána about the issue. It is currently unclear how long the database was unrestricted for.
“The technology contractor acted quickly and professionally, they reached out to me to confirm that the records were secure and to ensure that there was no malicious intent in my discovery and disclosure,” Fowler said in a blogpost.
“Although the records indicate they are officially related to Garda’s seizure and storage of vehicles it is important to note that [An] Garda Síochána was not directly responsible for the misconfigured cloud storage repository that resulted in the data breach.”
Fowler said that law enforcement documents and records are “especially coveted” by malicious hackers, as they contain personal identifiable information that can be used for financial or phishing scams.
“If you notice anything out of the ordinary, you should act fast to report it to your bank or freeze the account,” Fowler said. “Another serious potential risk is criminals using identification documents exposed online for identity theft. This includes criminals impersonating you, obtaining financial services in your name, and even using the documents as a template to create fake IDs.
“Monitoring your credit reports or subscribing to a credit monitoring service can help to detect any signs of identity theft and limit the damages or fraudulent accounts.”
In a statement sent to SiliconRepublic.com, An Garda Síochána said this was not a data breach by An Garda Síochána as the IT company involved in the breach was never contracted by nor working for An Garda Síochána.
“Once contacted by An Garda Síochána, the IT company concerned addressed the vulnerability identified and co-operated fully with An Garda Síochána. The company has also confirmed to An Garda Síochána that it has notified the Data Protection Commission,” the statement read. “A data investigation (not a criminal investigation) by An Garda Síochána has determined that the associated risks from the breach to data subjects in An Garda Síochána was limited.”
The statement went on to clarify that An Garda Síochána had no involvement with the creation or management of the database, nor was it the controller of the database. “As such, this is not a data breach of a system for which An Garda Síochána is data controller.”
Earlier this year, four police forces in Northern Ireland and the UK reported data breaches within a month, which were all reportedly caused by technical issues and human error.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
Updated, 5.30pm, 23 October 2023: This article was updated to include a statement from An Garda Síochána.