Customers' data put at risk on Govt website
The e-mail addresses and telephone numbers of more than 1,200 people have been published on Government’s website.The sensitive data was available to view last week on a customer feedback page concerning the Transport Control Department at www.gov.bmThe information was removed after The Royal Gazette informed the Ministry of Transport of its existence.The site featured 25 pages of queries and comments sent to TCD between November 2007 and last month, with almost every entry listing an e-mail address and telephone number. Some customers also provided home addresses and driving licence numbers.The Royal Gazette was able to easily access the 1,233 entries by copying and pasting a web address or URL (Uniform Resource Locator), shared with us by a concerned reader, into an Internet browser.It appeared customers had used a feedback form on the website to submit questions and comments to TCD, unaware their privacy would be compromised and others would be able to read their message and contact details.An online security expert, who asked not to be named, told this newspaper: “If I were to guess, they [TCD] probably knew it was there and for internal staff to be able to look at it, on the assumption that no one external would discover it.“In the old days you could get away with it but with Google and things like that, you can’t now. Search engines are very voracious and programmers often can figure out the way the application works with the URLs and they can figure out a way to create a URL that may not be anticipated.“It’s embarrassing. It shouldn’t be like that. The other thing is that databases containing important information should be encrypted.”The user messages were about everything from lost driving licences and abandoned vehicles to complaints from people who had failed a driving test and requests for information about importing cars and bikes.One victim was construction firm BCM McAlpine, which posed a question about truck licences.CEO Michael Ewles said: “Clearly we are not happy that private information has made its way into the public domain and Government should review and improve its systems to ensure that this doesn’t happen again.“However, fortunately this information published is not sensitive and so no damage has been done.”This newspaper alerted the Ministry of Transport to the web page late on Thursday afternoon. The information was still online at 9pm that evening but had been taken down and replaced with a test message by 10am Friday.The reader who shared the link asked not to be named but said it raised serious questions about how Government handled the personal information of Bermuda’s citizens.“If it affects 1,200 people that’s almost two percent of our population who need to know that if they’ve queried TCD innocently since 2007, then their data is online.“Armed with those names, addresses, phone numbers and the slight ‘window’ from the queries into how they think, I could probably devise a reasonably effective scam that would work for at least some of them.“There is, of course, the wider issue as to whether Bermuda has any form of cyber/data privacy regulation.”Yesterday a Government spokeswoman said: “Informed of an issue with a page on the Transport Control Department website that allows submissions of comments by the public, Government moved to assess the cause of the problem.“A number of comments, posted to a form on this page, were temporarily made available by utilising a sophisticated search engine. This information included a respondent’s name, e-mail address and phone number. The form has now been removed and Government can confirm no critical information was exposed by the site.“Technical officers within the Departments of eGovernment and Information Technology are continuing to carefully diagnose possible causes of the problem to ensure that this risk is mitigated in any other instances where this particular type of form has been used.“It is important to note that this issue did not, in any way, provide a means for the public to access secure data held within the primary TCD systems or data held in any other Government systems.“TCD will be contacting individuals whose names, e-mail addresses and phone numbers might have been accessed to be sure that they are fully apprised of the situation.”Bermuda does not have dedicated privacy legislation, though laws such as the Electronic Transactions Act deal with some aspects of data protection.The Department of E-Commerce said last year a working party was reviewing draft legislation and a public consultation would be carried out in late 2010.It said the proposed law, if approved, would result in “fundamental new rights being granted to individuals regarding their personal information”. It has yet to be tabled in Parliament.l Have you submitted an online TCD query on the Government website since November 2007? Call our news desk on 278-0133 or e-mail news[AT]royalgazette.bm
Here are a selection of questions and comments published on the TCD website:
l “Can I let a tenant use my car as part of a rental package? Meaning, they would rent our house and get a car to drive as part of the rental fee.”
l “I wish to complain because I did my driving test today and failed because the instructor said that the lights were on amber. The lights turned amber as I was nearly on the stop line so it would have been dangerous to stop. I have been driving in other countries since 1987 so I am very disappointed in TCD. I think it's ridiculous that I have to wait a month to prove I don't drive through amber lights. I look forward to your response.”
l “I am divorced but my car is under both names. He is not from here. What can I do to just put it under my name.”
l “Hi, I work for the Environment Department of the States of Guernsey and we are currently looking to review our Road Transport Strategy. I was wondering if you have an equivalent strategy that we could take a look at; it would be very useful to see our strategies in context of other islands'.”
l “I [would] like my daughter who will be working in Bermuda for two years to purchase three-wheel scooter rather than two-wheel scooter as she is short and petite. But I don't see any information regarding three-wheelers. Is it not permitted to have three-wheel scooters?”
l “I would like to know if my husband qualifies to obtain a special person card to use on the buses. He has one limb amputated.”
l “I know that people do not pay their parking tickets. I watched as the driver of [vehicle number] took the parking ticket from his window and placed it the trash container this morning Reid Street outside Washington Mall, Dec 4 approx 10.15am. I sure he will get away with it. Maybe if we collected some of these tickets our $100 million lost wouldn't be so bad.”
l “I am a UK resident and each year I visit Bermuda for two to three weeks whilst I home/dog sit for my friend who lives in Fairylands. It would be most helpful if, in her absence, I was able to use her car to take the little dogs out. Your advice would be greatly appreciated.”
l “Hi, I just want to know if somebody can attend to me at the dump if I go there at 7am on Tuesday to get a car written-off?”
