Incident: Traffic Camera Database Breach in Sheffield, England.

Published Date: 2020-04-29

Postmortem Analysis
Timeline 1. The software failure incident happened in 2020 (April 2020) as per the article published on April 29, 2020 [Article 98326].
System 1. Automatic number-plate recognition (ANPR) system used in Sheffield, England [98326] 2. Database keeping records of individual license plates, time of day, and intersection location from 100 different cameras placed around the city [98326]
Responsible Organization 1. The city of Sheffield, England, and the American corporation 3M were responsible for causing the software failure incident [98326].
Impacted Organization 1. Individuals who had their license plate and travel details exposed due to the breach in the traffic camera database in Sheffield, England [98326].
Software Causes 1. Lack of proper authentication and password protection in the ANPR system's database, allowing unauthorized access [98326] 2. Security flaws in the software design of the ANPR system, enabling the breach [98326]
Non-software Causes 1. Lack of proper authentication and password protection: The breach in the traffic camera database was due to the fact that the database could be accessed by entering its IP address into a web browser with no extra passwords or authentication required [98326]. 2. Failure in oversight and compliance: The incident highlighted a failure in oversight and compliance with national standards regarding the use of ANPR systems, as mentioned by Tony Porter, the commissioner of the UK's surveillance camera oversight organization [98326]. 3. Lack of proportionality in surveillance use: The breach demonstrated a lack of proportionality in the use of ANPR technology, as highlighted by Edin Omanovic of Privacy International, who emphasized the need for surveillance programs to be proportionate to the problems they aim to address [98326].
Impacts 1. The breach in the traffic camera database exposed license plate and travel details from more than 8.6 million car trips, compromising the privacy and security of individuals [98326]. 2. The breach revealed that the database, which stored records from 100 different cameras around Sheffield, could be accessed without any additional passwords or authentication, indicating a significant security flaw [98326]. 3. The incident led to concerns about the potential misuse of surveillance technology, highlighting the need for proportionate use and data protection assessments in such systems [98326].
Preventions 1. Implementing proper authentication mechanisms: The breach in the traffic camera database could have been prevented by requiring authentication such as passwords to access the system, thus limiting unauthorized access [98326]. 2. Regular security audits and vulnerability assessments: Conducting regular security audits and vulnerability assessments could have helped identify and address potential security flaws in the system before they could be exploited by malicious actors [98326]. 3. Data protection impact assessment: Prior to implementing the ANPR system, conducting a data protection impact assessment could have highlighted potential risks and vulnerabilities in the system, allowing for proactive measures to be taken to mitigate them [98326].
Fixes 1. Implement proper authentication measures to access the traffic camera database to prevent unauthorized access [98326]. 2. Conduct a thorough security audit of the ANPR system to identify and address any vulnerabilities that could lead to breaches [98326]. 3. Enforce stricter data protection measures and protocols to ensure the security and privacy of the collected information [98326]. 4. Regularly monitor and update the software and security systems to stay ahead of potential threats and vulnerabilities [98326].
References 1. Security specialist Chris Kubecka and writer Gerard Janssen [98326] 2. Eugene Walker, Sheffield's executive director of resources [98326] 3. David Hartley, Assistant Chief Constable of the South Yorkshire Police [98326] 4. Tony Porter, commissioner of the UK's surveillance camera oversight organization [98326] 5. Edin Omanovic of Privacy International [98326]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the breach in the traffic camera database in Sheffield, England, involving the ANPR system used for toll collection, has not been reported to have happened again within the same organization (Sheffield city or South Yorkshire Police) or with its products and services. The incident was described as unacceptable, and the responsible authorities expressed joint responsibility for addressing the breach [98326]. (b) The software failure incident related to the breach in the traffic camera database in Sheffield, England, involving the ANPR system used for toll collection, has not been reported to have happened again at other organizations or with their products and services. The focus of the incident was on the specific breach in Sheffield's traffic camera database and the implications of such a security flaw [98326].
Phase (Design/Operation) design, operation (a) The software failure incident in the traffic camera database breach in Sheffield, England can be attributed to design factors. The breach was a result of a major flaw in the automatic number-plate recognition (ANPR) system used in Sheffield, which allowed unauthorized access to the database without the need for passwords or authentication [98326]. (b) The software failure incident can also be linked to operational factors. The breach was discovered by security researchers while using a tool to analyze web hosts for potential security flaws, indicating that the operation or use of the system played a role in the incident [98326].
Boundary (Internal/External) within_system (a) The software failure incident related to the breach in the traffic camera database in Sheffield, England can be categorized as within_system. The breach was a result of a major flaw within the automatic number-plate recognition (ANPR) system used in Sheffield, which allowed unauthorized access to the database without the need for extra passwords or authentication [98326]. The breach was discovered by security researchers using a tool to analyze potential security flaws in web hosts, indicating that the vulnerability originated from within the system itself. Additionally, the executive director of resources in Sheffield accepted responsibility for the breach, acknowledging that it was unacceptable and required joint efforts to address the data breach [98326].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was primarily due to non-human actions. The breach in the traffic camera database was discovered by cybersecurity researchers using a tool to analyze web hosts for potential security flaws [98326]. The breach allowed unauthorized access to the database without the need for extra passwords or authentication, indicating a vulnerability in the system itself rather than a direct human error. (b) However, human actions also played a role in the incident. The decision to implement the ANPR system, the contract with the American corporation 3M to design the network of traffic cameras, and the choice to keep permanent records of every vehicle passing through the cameras were all human decisions that contributed to the vulnerability exploited in the breach [98326]. Additionally, the responsibility for addressing the breach was accepted by human officials, indicating a level of human involvement in the incident.
Dimension (Hardware/Software) software (a) The software failure incident in the traffic camera database breach in Sheffield, England was not directly attributed to hardware issues. The breach was due to a major security flaw in the automatic number-plate recognition (ANPR) system software used in the city, which allowed unauthorized access to the database without the need for passwords or authentication [98326]. (b) The software failure incident in the traffic camera database breach in Sheffield, England was primarily attributed to contributing factors originating in software. The breach was a result of a significant security flaw in the ANPR system software, which enabled the unauthorized access to the database containing sensitive information on car trips [98326].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident in the article is non-malicious. The breach in the traffic camera database in Sheffield, England was discovered by cybersecurity researchers who found a major security flaw in the automatic number-plate recognition (ANPR) system used for toll collection. The breach allowed access to sensitive data without the need for passwords or authentication, indicating a vulnerability rather than a deliberate malicious act [98326].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The breach in the traffic camera database in Sheffield, England, was a result of poor decisions related to the security measures implemented in the system. The database could be accessed by entering its IP address into a web browser with no extra passwords or authentication necessary, indicating a lack of proper security protocols [98326]. - The breach was considered unacceptable by the authorities involved, with Eugene Walker, Sheffield's executive director of resources, admitting joint responsibility for the data breach and emphasizing that it was not an acceptable occurrence [98326].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the traffic camera database breach in Sheffield, England can be attributed to development incompetence. The breach was a result of a major security flaw in the automatic number-plate recognition (ANPR) system used in Sheffield, which allowed unauthorized access to the database without the need for passwords or authentication [98326]. The breach was discovered by cybersecurity researchers using a tool that analyzes web hosts for security flaws, indicating a lack of proper security measures in the development of the system. Additionally, the breach exposed sensitive information from over 8.6 million car trips, highlighting the severity of the security oversight in the system's development. (b) The software failure incident can also be considered accidental as there was no malicious intent reported in the breach incident. The breach was not caused by a deliberate attack but rather by a security vulnerability that allowed unauthorized access to the database [98326]. The executive director of resources in Sheffield acknowledged the breach as unacceptable and emphasized the need to address the data breach, indicating that the incident was not intentional but rather a result of accidental oversight in the system's design and implementation.
Duration permanent The software failure incident related to the breach in the traffic camera database in Sheffield, England can be categorized as a permanent failure. The breach involved the automatic number-plate recognition (ANPR) system used in Sheffield, which began keeping permanent records of every vehicle that passed through every camera in 2018 [98326]. Additionally, the breach exposed license plate and travel details from more than 8.6 million car trips, indicating a long-term impact on the data stored in the database.
Behaviour crash, omission, value (a) crash: The software failure incident in the traffic camera database breach can be categorized as a crash. The breach involved the ANPR system used in Sheffield, England, which failed to maintain the security of the database, leading to unauthorized access and exposure of sensitive information [98326]. (b) omission: The incident can also be categorized as an omission. The system failed to perform its intended function of securely storing and protecting the data collected from the traffic cameras. This omission resulted in the exposure of license plate and travel details from over 8.6 million car trips [98326]. (d) value: Additionally, the software failure incident can be categorized as a value failure. The system performed its intended function of collecting and storing data from the traffic cameras, but it did so incorrectly by allowing unauthorized access to the database without proper authentication measures in place, leading to a breach [98326].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence unknown (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The articles do not mention any consequences related to death, harm, basic needs, property loss, or non-human entities due to the software failure incident. The primary focus is on the breach of the traffic camera database in Sheffield, England, and the potential privacy implications for individuals whose data was exposed. The articles emphasize the need for accountability, investigation, and ensuring the proportionate use of surveillance technology.
Domain transportation (a) The failed system was related to the transportation industry, specifically the automatic number-plate recognition (ANPR) system used in Sheffield, England to levy tolls on vehicles traveling into the city center at certain times of day [98326]. The system involved a network of traffic cameras placed around the city to monitor and record vehicle movements for tolling purposes.

Sources

Back to List