Mobile parking service RingGo, which is used by 4.3 million motorists across the UK, suffered a data breach earlier this month following the release of its new iPhone app.
When customers logged in, they found other people’s personal details displayed instead of their own. A statement from the company’s parent firm, Cobalt Telephone Technologies, confirmed that 600 people were directly affected, and another 1,400 who were parking at the time of the incident had their passwords disabled as a precaution.
Vehicle information exposed
The breach exposed some worryingly specific details about fellow users. Names and phone numbers were accompanied by users’ vehicle information, including car model, colour, registration number and locations where they had parked.
It also exposed some payment card data – the last four digits of users’ debit or credit cards – but this is not enough to be able to make payments on the app or gain access to the bank account.
The company admitted that the breach was “totally unacceptable” and has contacted affected users by email, phone and SMS.
Meanwhile, RingGo users have been taking to Twitter to express their frustration:
Just got a call from a guy who logged into @RingGo_parking app and it loaded my personal info – he phoned my mobile number that was revealed
— Jan Rust (@pixeldotjan) April 13, 2017
Have to admit @RingGo_parking you’d have to go some to create a more user-unfriendly app. How did you manage to make it so useless?
— Christopher Anton (@GBRChris_A) April 14, 2017
@RingGo_parking New iphone app still not fixed. I still see other people’s account and payment details! #RingGo #databreach
— Roger Laing (@rogerlaing) April 14, 2017
Repercussions
According to Cobalt Telephone Technologies’ statement, “a full investigation into the root cause has taken place so that this issue will not happen again. We followed standard data incident procedures and submitted a report covering this data issue to the ICO”.
The breach will likely see the company being levied with a hefty fine. Under the current UK data protection law, the maximum penalty for data breaches is £500,000, but as of next year – when the EU General Data Protection Regulation (GDPR) supersedes the Data Protection Act (DPA) – the limit will be much higher.
Any company found to be in breach of the GDPR will face a fine of up to €20 million (approximately £16.7 million) or 4% of its annual global turnover – whichever is greater.
Preparing for the change can be a tricky task in itself. Earlier this month, Flybe was fined by the ICO for breaching the PECR while trying to prepare for the GDPR.
If your company is currently preparing for the GDPR, or if you are looking to understand and demonstrate your knowledge of it, you should take a look at IT Governance’s EU GDPR Expertise Bundle.
With a number of GDPR resources in one package, the bundle includes a pocket guide to the Regulation, an implementation and compliance guide, and an introduction to the legal and practical data protection risks involved in using Cloud services.