British supermarket chain Tesco has shut down its parking validation web application after The Register discovered tens of millions of automatic license plate recognition (ANPR) images that have not been secured on a Microsoft Azure blob.
The images themselves consisted of photos of cars taken at their driveway and leaving 19 of the company's car parks across the country. The drivers of these vehicles were not visible in the photos, but their license plate numbers were.
The Azure blob that powered Tesco's third-party validation web application had no login or authentication control and was fully accessible. The company admitted in the registry that these timestamped images had been exposed during a data migration exercise.
Ranger Services, which operated the Azure blob for Tesco's web application, is still investigating the extent of the breach. The company is now calling GroupNexus after its recent merger with parking operator CP Plus.
ANPR images on display
The Azure blob contained live ANPR images saved as time-stamped JPEG files. The time when customers parked their car was also included in the image file names. Anyone who can correctly understand the format of the required HTTP POST request could have collected the block images for illegal use.
A Tesco spokesperson explained what had happened to the registry in these terms:
"A technical problem with a parking application meant that, for a short time, the images and historical times of cars entering and leaving our parking lots were accessible. Although there are no images of people or confidential data available, any violation of Security is unacceptable and we have now disabled the app while working with our service provider to ensure this does not happen again. More. "
According to the company, the Azure blob was left open during a planned data migration exercise to an AWS data lake. It has since been insured, but Tesco does not want to reveal how long it has been open.
Since Tesco purchased the parking monitoring services from a third party, the company stated that Tesco was responsible for protecting the data collected and stored under the law.
Through the registry