ISLINGTON COUNCIL is being investigated after it was discovered asking service residents to provide card details on a Word document sent over email.
The North London borough sent out a form via email (because it's like, totally still 1998) asking users to complete their 16-digit card number, 3-digit CVV and expiry date - offering anyone who intercepted them the "full monty" for stealing funds and making purchases at the expense of the cardholder .
Also requested were details like their address, another perfect bit of data ripe for exploitation. The form, which is used to apply for and pay for parking bay suspensions in the borough (for example, if you wanted somewhere to park a skip temporarily), has been withdrawn and a full internal investigation has begun.
The form appears to break GDPR rules which could result in a large fine for the council, and industry rules for card users.
Rashmi Knowles, Field CTO for RSA Security comments: "Asking for financial information in a plain text word doc is frankly shocking and the council should really know better.
"This is a serious breach of PCI security rules, and could potentially fall foul of GDPR as well. Not only has Islington Council asked for card numbers, but also the holders name, start and expiry dates and even the security code on the back of the card. In short, all the information a hacker would dream of having all packaged up in one relatively easy to access place. This type of information should always be encrypted, otherwise, it is very easy for a hacker to obtain.
"People will often put a lot of trust in councils and assume they know best, but this is a good example of the need for us all to be vigilant. If you are ever asked to provide this kind of information, always stop to ask questions and never share such information if it is not encrypted, even if it is a trusted partner that is asking you to."
Sending a word document over email shows a lack of infrastructure anyway, but the idea that a not insubstantial council could have fallen foul of EU's new privacy rules in such an obvious way, and so soon, suggests this is just the beginning of the GDPR fallout. µ
The IoT has gone unsecured for too long, says DCMS and NCSC
Mobile-friendly app will offer a 'desktop-class' experience
Alexa, show me half-arsed implementation
Samsung reportedly orders in 6.66in OLED panels