What’s the matter?
The Register uncovered an unsecured Microsoft Azure Blob belonging to Tesco’s parking web app. The unguarded Blob exposed tens of millions of Automatic Number Plate Recognition (ANPR) images.
A brief overview
Tesco said that its parking web app and the unprotected Microsoft Azure Blurb were managed by a third-party vendor named ‘Ranger Services’, while admitting that millions of timestamped numberplate images were stored on it.
The supermarket giant noted that access to the Azure Blob was opened during a planned data migration exercise to an AWS data lake. However, access to the Blob has now been disabled.
“A technical issue with a parking app meant that for a short period historic images and times of cars entering and exiting our car parks were accessible. Whilst no images of people, nor any sensitive data were available, any security breach is unacceptable and we have now disabled the app as we work with our service provider to ensure it doesn’t happen again.” a spokesperson for Tesco said.
What was exposed?
Tesco customers use the supermarket’s parking web app to validate their parking with a code printed on their receipts along with their vehicle’s registration number, thus avoiding parking charges.
The impacted 19 Tesco car parks include Braintree, Chelmsford, Chester, Epping, Fareham, Faversham, Gateshead, Hailsham, Hereford, Hove, Hull, Kidderminster, Woolwich, Rotherham, Sale (Cheshire), Slough, Stevenage, Truro, Walsall and Weston-super-Mare.
NCP data leak
While investigating the Tesco breach, The Register also found another unsecured AWS bucket. The unprotected storage bucket that exposed tens of thousands of images belongs to National Car Parks (NCP).
Upon discovery, The Register notified NCP about the data leak. The dashboard has since been taken down.