British supermarket giant Tesco has closed down its parking app after The Register discovered tens of millions of automatic number-plate recognition (ANPR) images were left unsecured in a Microsoft Azure blob.
The images consisted of photos of cars taken as they entered and left nineteen of the company’s car parks, which are spread across the country. Although the drivers of the vehicles were not visible in the photos, their license plate numbers were.
The Azure blob which powered Tesco’s outsourced parking validation web app had no login or authentication controls and was completely accessible. The company admitted to The Register that these timestamped images were left exposed during a data migration exercise.
Ranger Services, which operated the Azure blob for Tesco’s web app, is still investigating the extend of the breach. The firm is now called GroupNexus after its recent merger with rival parking operator CP Plus.
What is Azzure Blob?
Microsoft Azure (formerly Windows Azure is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers. It provides software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems.
Exposed ANPR Images
The Azure blob contained live ANPR images which were stored as timestamped JPEGs and the time at which customers parked their cars was also included within the image filenames. Anyone able to correctly figure out the format of the required HTTP POST request could have harvested the images in bulk for illicit use.
A spokesperson from Tesco explained what happened to The Register, saying:
A technical issue with a parking app meant that for a short period historic images and times of cars entering and exiting our car parks were accessible. Whilst no images of people, nor any sensitive data were available, any security breach is unacceptable and we have now disabled the app as we work with our service provider to ensure it doesn’t happen again.
According to the company, the Azure blob was left open during a planned data migration exercise to an AWS data lake. It has since been secured but Tesco would not reveal how long it was left open for.
Since Tesco purchased the parking lot monitoring services from a third party, the company says that the third party was responsible for protecting the data it collected and stored under the law.