Unsecured Microsoft Azure Blob Exposes Millions of Automatic Number Plate Recognition Images

• Tesco said that its parking web app and the unprotected Microsoft Azure Blurb were managed by a third-party vendor named ‘Ranger Services’.
• The 19 impacted Tesco car parks include Braintree, Chelmsford, Chester, Epping, Fareham, Faversham, Gateshead, Hailsham, Hereford, Hove, Hull, Kidderminster, Woolwich, Rotherham, Sale (Cheshire), Slough, Stevenage, Truro, Walsall, and Weston-super-Mare.

What’s the matter?

The Register uncovered an unsecured Microsoft Azure Blob belonging to Tesco’s parking web app. The unguarded Blob exposed tens of millions of Automatic Number Plate Recognition (ANPR) images.

A brief overview

Tesco said that its parking web app and the unprotected Microsoft Azure Blurb were managed by a third-party vendor named ‘Ranger Services’, while admitting that millions of timestamped numberplate images were stored on it.

The supermarket giant noted that access to the Azure Blob was opened during a planned data migration exercise to an AWS data lake. However, access to the Blob has now been disabled.

“A technical issue with a parking app meant that for a short period historic images and times of cars entering and exiting our car parks were accessible. Whilst no images of people, nor any sensitive data were available, any security breach is unacceptable and we have now disabled the app as we work with our service provider to ensure it doesn’t happen again.” a spokesperson for Tesco said.

What was exposed?

Tesco customers use the supermarket’s parking web app to validate their parking with a code printed on their receipts along with their vehicle’s registration number, thus avoiding parking charges.

• The Blob includes the images of cars that entered and left 19 Tesco car parks spread across Britain.
• Live ANPR images were saved to the blob as timestamped jpegs.
• Drivers’ photos were also stored in the blob, however, those photos were not visible as they were saved as low-resolution images.

The impacted 19 Tesco car parks include Braintree, Chelmsford, Chester, Epping, Fareham, Faversham, Gateshead, Hailsham, Hereford, Hove, Hull, Kidderminster, Woolwich, Rotherham, Sale (Cheshire), Slough, Stevenage, Truro, Walsall and Weston-super-Mare.

NCP data leak

While investigating the Tesco breach, The Register also found another unsecured AWS bucket. The unprotected storage bucket that exposed tens of thousands of images belongs to National Car Parks (NCP).

• The exposed images appear to be a subset from a live dataset for demonstration purposes.
• The car park operator’s online dashboard was also found publicly accessible.
• The unprotected dashboard allowed anyone to access information inferred from ANPR cameras at an unidentified location.
• The dashboard contained information such as how many times a particular number plate had infringed the car park rules, how many times it has been flagged in particular car parks, and how many penalty charge notices had been issued to it in the past.

Upon discovery, The Register notified NCP about the data leak. The dashboard has since been taken down.