Harringay, Haringey - So Good they Spelt it Twice!
Haringey's permit payment site - data leakage woes?
My wife just applied for some visitor permits online. After a bit of a debacle as the council site was down for a bit (I suspect due to problems on Virgin Media tonight) she managed to get the payment pages to load.
Upon completion of payment, she filled out the box with her email address, to get a receipt sent. The receipt has arrived, but the confirmation web page said in fairly small red lettering at the top of the page that it'd been sent elsewhere - to some dodgy looking hotmail address.
The email that we have received has her name, address, and the last four digits of her card number, plus the type of card. Not a great deal of leakage but more than we'd send out to any random person out of choice! If the invoice has gone out to someone else, this seems like a clear breach of data protection regs to me.
Has anyone else noticed this behaviour from the site?
I will be calling HC and also emailing the random address to see if I can get a response. What a crappy payment site. Further evidence to show that it was coded by incompetents it seems! Who on earth signed that design off?!
Tags for Forum Posts: haringey, parking permits online, payment, permit, site
Replies to This Discussion
-
Permalink Reply by Joe Bailey on
-
Interesting that it was apparently spotted by Ms Parker just the other evening, yet Laura reports that she experienced the said same problem a couple of months ago.
Perhaps Haringey knew about this a while ago and hoped nobody else would.
Perhaps it's been happening for a while and they simply didn't spot it until I just before I mentioned this on HoL (a cynical person would suggest this was a strange coincidence).
Perhaps it's intermittent and just affects the odd few here and there (which by reports seems less likely).
Or perhaps it’s something entirely different – right now I can’t think what though!
I suspect this error has been there for a while myself, regardless of who did or did not know about this.
I am still to get any feedback from HC though, even though Ms Parker's office called yesterday morning and promised a response before the end of yesterday!
-
Permalink Reply by Alan Stanton on
-
A few months ago I got a letter with an "offer" from a company which said I'd ordered from them in the past. I hadn't and it worried me. I didn't want their stuff. But I certainly didn't want a bill for items I hadn't ordered.
So I asked them about it. They confirmed that I didn't have any account and that the "offer" took my name and address from a public list.
Joe, do you really want to know whether there was "a strange coincidence"; or if "Haringey knew about this a while ago and hoped nobody else would"? A perfectly fair question. So why not ask them rather than speculate?
If someone in the Council's IT or the Parking Service knew about such odd faults but kept them quiet, Kevin Crompton and Julie Parker very much need to know that. And for a very straightforward and simple reason: online micro-payments depend on customers' confidence.
-
-
Alan,
There are all sorts of social engineering tricks that scammers use. It's a sorry state of affairs that personal data is abused by such naughty folk in my opinion as I’ve been victim of ID fraud before, which is why I know that we all need to guard our personal information closely. I’m sorry that you’ve been contacted by such a scammer, but I’m not sure how this relates to the Council potentially leaking personal data.
Publicly listed information doesn’t reveal any banking details for most people, whereas, for example, being on the electoral list or in the public telephone directory would of course give sufficient information by for someone to write to you by name or perhaps give you the odd unwanted telephone call.
With information such as that which has potentially been sent to the wrong recipient, it’s not hard to see that it would be perfectly possible for a scammer to make a fairly convincing telephone call (one might moot that it could start “Hello Mrs Bailey, I’m calling regarding your MasterCard”) which could fool the recipient of said hypothetical call into divulging all sorts of information.
I certainly would like to know how long this has been a problem, if data has been sent to the wrong addresses, and if HC did know about this in advance of my posting. I would also like to know what steps have been taken since yesterday to investigate and resolve this.
These are indeed questions which I asked Julie Parker's representative when she called yesterday morning, as well as suggesting that the Council suspend the payment system until the answers have been found, as a matter of good IT security practice. However, as yet, I have had no response despite promises of a reply before the end of the day.
Julie Parker has been left a message with my telephone number. If she or Kevin Crompton wish to call me, they certainly may do so. Until then, all I can do is speculate, because no answers have been provided, yet further reports have come in via HoL which give more information to suggest that this is a problem for at least several people, and has at least been a problem for several months.
So with further consideration, the response along the lines of “we’ve just spotted this now” from Julie Parker still seems a little suspicious to be frank. If the Council really have only just spotted this, they haven’t been paying very close attention to their new system which is almost as serious a failing as noticing and failing to do anything about it.
I'm not entirely sure what more you think I should do other than bring this to the attention of the Council, which I have done, and begin a discussion regarding this with fellow HoLers, which has been quite productive as we now know this is not limited to just myself. Remember, at the time of finding this, the Council offices were closed so I did not have the opportunity to alert the Council first. By the time officials were able to look at this, we knew the problem was common to at least three cases, which is a good “heads up” for them regardless of anything else.
If a Council Official cares to clear this matter up (which really can’t be that complicated for them to do), there will be no room for speculation and this matter can reach a conclusion.
-
-
Alan,
I refer to the last paragraph in one of your posts:
"If someone in the Council's IT or the Parking Service knew about such odd faults but kept them quiet, Kevin Crompton and Julie Parker very much need to know that. And for a very straightforward and simple reason: online micro-payments depend on customers' confidence."
Without any speculation, we now have sufficient reports which clearly show that someone in the Council did know about this, and did seemingly keep it very queit. I trust this is sufficient for you to ask Kevin Crompton to investigate and explain?
-
-
Thanks, Joe.
I emailed Kevin Crompton and Julie Parker at 1am this morning, after posting this comment in response to one by Justin Guest.
Sorry these posts were out of time sequence.
-
-
Perfect - thanks Alan, I was tucked up in bed by then ;)
Kind regards...
-
Permalink Reply by Pressdesk at Haringey Council on
-
Response from Haringey Council:
Further to the recent postings on the Harringay on-line forum about on-line payments for residents’ permits, we can assure you that none of the actual details have been sent to the erroneous email address and that no payment details have been accessed/shared.
On an occasional and random nature, the system does not update the current email address in the inbox and shows the email address of the last person who applied online, but in actuality the response is sent to the correct email address, i.e. the person making the payment. Whilst this is disconcerting our investigations show that no payment details have been shared. We are aware of the problem and are working with our system providers to rectify the problem as quickly as possible, and again we are sorry for any inconvenience or concern that this has caused.
-
-
Thanks Pressdesk at HC!
Please can you provide answers to the following questions:
1) How long has HC been aware of this behaviour?
2) Is there any regular quality checking of the new payment system? If so, why wasn't this picked up sooner as reports indicate that it has been a problem for several months now?
3) What testing has been done to verify that no data has been sent to the wrong applicant?
4) Are SMTP / Web logs available for inspection to verify that no data has been sent to the wrong recipient?
5) Was the payment site suspended at any stage as a matter of good practice?
6) Will the Council be spending any further monies rectifying this problem, or is that down to your provider?
7) Even showing the email address of the last person is data leakage - far less concerning than sending out payment confirmations, but not ideal! Many users would not want their email address published, even to just one person! What are the timescales for the fix from your provider?
Many thanks in advance.
-
Permalink Reply by Clive Carter on
-
Online ordering:
I found out just a few minutes ago that Amazon keeps records of my purchases going back at least 10 years. In a split second, Amazon was able to tell me that a copy of The Design of Everyday Things, by Donald Norman, was dispatched to me on 31 October 2001.
I placed fresh orders with Amazon on Sunday; some of them were delivered this afternoon. Amazon are the cat's whiskers. It can be done.
-
Permalink Reply by Hugh on
-
Amazon run an awesome business. I've often got stuff the day following placing an afternoon order.
-
-
Hehe, a little off topic but HC might like to outsource delivery of permits to Amazon then - 10 days for delivery after order, following a 2 day registration process does seem a little tardy when you used to be able to go and buy them and pick them up there and then on the day! Amazon are indeed speedy.
Also, Amazon let you put two or more entirely different things in one shopping basket, and pay for them together. The ordering of different visitor permit types and payment for them all have to be done individually; who'd have thought that people would want to buy some 1 hour AND some 2 hour permits together?! It really is the most rubbish payment site I've seen in a very long time especially as it gives you the email address of the person who last used it!
That I don't have to go to the payment office is a good thing.
That it takes nearly two weeks to get permits is a very bad thing - hardly much of an improvement!
Who did sign that system off?!
© 2024 Created by Hugh.
Powered by
