Data leak in Switzerland: Open databases at parking enforcement companies

The business model of private parking enforcement companies rarely meets with approval from drivers. When such companies also falter in IT security, things get really unpleasant. A recent investigation by the news portal Watson has now uncovered a major data leak affecting vehicle owners throughout Switzerland: The two industry giants Funkwache and Unisecur allegedly left extensive databases with highly sensitive information exposed on the internet for a long period.

The extent of the incident is considerable, according to the report, as the system comprises tens of thousands of data records. In the database of Funkwache AG, based in Zurich, alone, there were hundreds of thousands of entries in the central fine register and tens of thousands of links between license plates and specific addresses.

The affected companies specialize in monitoring private parking areas on behalf of property owners and real estate managers. Anyone who parks their vehicle there without authorization is recorded. The enforcers then demand a so-called administrative fee to cover the costs of clarifying the incident. If the parking offender does not pay, a criminal complaint is threatened.

Sensitive Logbooks on the Internet

Precisely these sensitive operations could be viewed unencrypted and without password protection due to a poorly configured IT infrastructure. In addition to the names, home addresses, phone numbers, and email addresses of the vehicle owners, detailed logbooks were also affected. In these, the companies recorded the exact locations and control times, vehicle data, and the current status of initiated legal proceedings, including complaints and penalty orders.

The datasets even revealed information about blocked vehicle owners. In Switzerland, citizens can actually have their owner data blocked at the cantonal road traffic offices for simple inquiries. Enforcement companies can bypass this block for legal action for a fee. However, they should have secured the painstakingly obtained information even more strictly.

The cause of the data leak apparently lies in a misconfiguration of the web server and database structure. The affected companies, both tracing back to company founder Meinhard Byell and having the same business model, also share the technical infrastructure and both used the database tool Wakanda. The respective administration interfaces of the systems were directly accessible via comparatively short, easy-to-guess internet addresses.

An IT expert confirmed during the investigation that no in-depth hacking knowledge or tools were necessary to access the internal structures. A browser was completely sufficient. How long the digital barn door remained open is not yet definitively clarified. Technical server queries suggest that parts of the affected IT infrastructure may have been accessible from the network unsecured since 2020.

Attempts at Relativization and Official Investigations

The reaction of those responsible followed the classic pattern of damage control and relativization. After initial contact attempts by the editorial team were ignored for weeks in April, the management of Unisecur finally responded and denied the severity of the security vulnerability. They claimed that in-depth programming knowledge was required to detect the vulnerability, thus suggesting a targeted search.

Funkwache CEO Meinhard Byell at least confirmed the existence of security vulnerabilities shortly before publication. However, he also stated that they had been closed immediately. Whether unauthorized third parties have copied or misused the data in the meantime, and whether the accesses to the servers were logged at all, remains unclear.

The case is likely to have legal consequences. The Federal Data Protection Commissioner Adrian Lobsiger had not received any notification of the incident from the two companies before the security debacle became public, even though such a notification is mandatory for serious data leaks.

The authority has announced that it will initiate investigations and contact those responsible. It expressly reserves the right to take further legal action. The two parking enforcement companies face significant sanctions for violating their duty of care in handling sensitive personal data, although these will remain below the fine limits of the General Data Protection Regulation (GDPR).

(vbr)