UK taxpayers have been connected to a reminder system used by councils that potentially exposed their sensitive data online.
An investigation conducted by The Register found that a debt-chasing service “freely exposed to the public thousands of taxpayers’ names, addresses, and outstanding debts” via bulk SMS messages sent to remind residents of unpaid bills.
The system was developed by Telsolutions who acted on behalf of an estimated dozen UK councils.
Debt defaulters were sent text message reminders containing a URL leading to a basic web page showing a council resident’s personal data and outstanding bill. However, if you changed alphanumeric characters contained in the web address, this could reveal records belonging to others — including those living in different council areas.
The publication says that no authentication or security checks were in place in a few cases. While some councils did require a postcode as a verification method, this is far from enough to stop a determined individual from collecting private, sensitive information on a target.
Telsolutions told The Register they have since resolved the issue and have “further increased security and introduced new measures to prevent malicious intent.”
A number of the councils contacted said they took security “seriously” and while one said their Data Protection Officer had been informed, others either pointed to the fact the majority of links are never accessed, or that they were now investigating the issue.
In 2019, Gateshead council admitted to a slew of data breaches including when a list containing the details of 53 individuals who owed the council money was sent to a resident and the upload of medical data to an online forum. Last week, Birmingham council allegedly exposed the details of children deemed vulnerable by accidentally uploading them to a taxpayer service.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0