Islington Council has been fined £70,000 for failing to secure the personal data of 89,000 users of its parking ticket system website.
The council’s Ticketviewer allows people to see a CCTV image or video of their alleged parking offence before submitting an appeal.
But the Information Commissioner’s Office (ICO) found that the council had failed to test the system before and after it went live.
This led to a flaw that in 2015 allowed people to access users’ personal data simply by manipulating the URL.
The ICO said some of the data included sensitive personal information such as medical details submitted in appeals.
Snoopers exploited the design flaw 235 times to gain unauthorised access to 119 documents affecting 71 people.
“People have a right to expect their personal information is looked after,” said the ICO’s Sally Anne Poole. “Islington Council broke the law when it failed to do that.”
An Islington Council spokesperson told NS Tech: “We remain very sorry about the previous Ticketviewer problem and agree with the ICO that we failed to meet the required data protection standards back in 2015.
“As soon as we were aware of the problem we took every possible action to prevent a recurrence and instructed auditors to carry out a thorough review so we could learn from our mistake.”
It is understood that the council’s fine was reduced to £56,000 for prompt payment.