A few months ago, I bought an electronic toll device.
When I entered my car registration number, the NRA webpage updated to show me the make, model, colour and country of registration of my car.
A quick test showed I could also look up any other car details simply by entering a registration number.
When I phoned to point out the obvious risk of putting this information online, I was told that the website had been cleared by the data protection commissioner. I didn’t bother following up with the commissioner.
Besides, how harmful could it be to know the make and model of a random car?
Trouble is, eflow didn’t stop at putting car information online.
In a later iteration, the website happily released personal details including names and addresses to anyone who cares to look.
The Data Protection Commissioner has been informed about the problem, and the NRA took ‘immediate steps to remove the name and address details’.
All of which leads me to wonder, did the data commissioner miss this breach when it ‘cleared’ the website, or did the NRA just tell me it had been cleared to get rid of me?
Note to self: Next time, verify.