British supermarket chain Tesco has closed down its parking validation web app after The Register discovered tens of millions of automatic number-plate recognition (ANPR) images left unsecured in a Microsoft Azure blob.
The images themselves consisted of photos of cars taken as they entered and left 19 of the company’s car parks spread across the country. While the drivers of these vehicles were not visible in the photos, their license plate numbers were.
The Azure blob which powered Tesco’s outsourced parking validation web app had no login or authentication controls and was completely accessible. The company admitted to The Register that these timestamped images were left exposed during a data migration exercise.
Ranger Services, which operated the Azure blob for Tesco’s web app, is still investigating the extend of the breach. The firm is now called GroupNexus after its recent merger with rival parking operator CP Plus.
Exposed ANPR images
The Azure blob contained live ANPR images which were stored as timestamped JPEGs and the time at which customers parked their cars was also included within the image filenames. Anyone able to correctly figure out the format of the required HTTP POST request could have harvested the images in bulk for illicit use.
A spokesperson from Tesco explained what happened to The Register, saying:
“A technical issue with a parking app meant that for a short period historic images and times of cars entering and exiting our car parks were accessible. Whilst no images of people, nor any sensitive data were available, any security breach is unacceptable and we have now disabled the app as we work with our service provider to ensure it doesn’t happen again.”
According to the company, the Azure blob was left open during a planned data migration exercise to an AWS data lake. It has since been secured but Tesco would not reveal how long it was left open for.
Since Tesco purchased the parking lot monitoring services from a third party, the company says that the third party was responsible for protecting the data it collected and stored under the law.
Via The Register