Web security breach exposes 54,000 card details

A security blunder at Newcastle City Council has exposed the credit and debit card details of up to 54,000 people online.

The breach was discovered on 19 July after the council hired an independent security expert to try and crack its systems. The security exercise found an encrypted file containing names, addresses, and credit and debit card numbers had been mistakenly placed on an insecure server.

An internal investigation also revealed the file with all the card details had been accessed and uploaded to a computer IP address registered in Israel. Newcastle City Council claims there is no indication of any fraud on the affected cards.

The file contained details of payments for council tax, business rates, parking fines and rents for more than a year between February 2006 and April 2007. The council has informed the banks, police and the Information Commissioner about the breach and said a full investigation into the security breach is underway.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or by emailing us at editorial@silicon.com.

But a council spokesman told silcon.com those people whose card details were exposed online will not be contacted individually by the council.

He said: "It's a question of resources. There could be up to 54,000 people affected. It is up to cardholders themselves - it is best for people to keep an eye on their credit and debit card statements and notify the banks of anything suspicious straight away."

Earlier this month silicon.com launched its Full Disclosure campaign calling for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk. Such laws are already enforced in many states in the US. Click here to sign the Downing Street petition calling for it to be introduced in the UK.

Newcastle City Council said it closed down the insecure computer servers straight away, tightened security and is now "fully confident" it is safe to continue taking credit and debit card payments.

Councillor John Shipley said in a statement: "This is an extremely serious breach, which I was shocked to hear about. My first concern is that every possible measure should be put in place now to protect people whose data might have been compromised, and we have communicated this to the banks and credit card companies."

Newcastle City Council CEO Ian Stratford added in a statement: "We very much regret that this situation has developed, although we would again stress that there has been no indication of any fraud or loss, and that we spotted this situation through the thoroughness of our own security and checking systems."