Ranger Services goes to ground over unsecured Azure blob
Exclusive Tesco has shuttered its parking validation web app after The Register uncovered tens of millions of unsecured ANPR images sitting in a Microsoft Azure blob.
The images consisted of photos of cars taken as they entered and left 19 Tesco car parks spread across the country. Visible and highlighted were the cars' numberplates, though drivers were not visible in the low-res images seen by The Register.
Used to power the supermarket’s outsourced parkshopreg.co.uk website, the Azure blob had no login or authentication controls. Tesco admitted to The Register that “tens of millions” of timestamped images were stored on it, adding that the images had been left exposed after a data migration exercise.
Ranger Services, which operated the Azure blob and the parkshopreg.co.uk web app, said it had nothing to add and did not answer any questions put to it by The Register. We understand that they are still investigating the extent of the breach. The firm recently merged with rival parking operator CP Plus and renamed itself GroupNexus.
Tesco customers across the nation were instructed to use parkshopreg.co.uk to validate their parking with a code printed on their receipts along with their vehicle’s registration number, thus avoiding parking charges.
Live ANPR images were saved to the blob as timestamped jpegs with the time information also contained within the image filenames, allowing anyone with access to harvest the images in bulk for illicit use. Tens of millions of images were freely available to anyone who could correctly deduce the format of the required HTTP POST request.
The Tesco car parks affected by the breach include Braintree, Chelmsford, Chester, Epping, Fareham, ..
Support the originator by clicking the read the rest link below.