City of Boston License Plate Reader Data Was Inadvertently Accessible to the Public

Up until two weeks ago, if someone saw your sleek ride and wanted to rob your mansion, they could find your parking permit number to obtain your address, according to one investigative reporter.

The system -- publicly viewable with files available for download -- included motor vehicle records that dated back to 2012. It is unclear how long the system had been exposed before a reporter noticed the apparent security lapse. 

The open server was intended for file sharing, primarily among municipal parking enforcers.

The company that owns the license plate reader technology, Genetec, disavows responsibility for any privacy gaffe.

But a remote desktop client terminal, which was also left exposed, shows the company had direct access to the system. 

Further investigation of the IP address where the system was located revealed that a Xerox subsidiary owns the server. 

When the reporter contacted Xerox, within two hours, the portal was removed from public view.

After being alerted to the data leak, an American Civil Liberties Union employee discovered his own plate number and address in the database, as did other Boston residents who park and drive around the city. Presented with that information, Xerox referred additional questions to the Boston Transportation Department. A BTD spokesperson said agency is investigating the matter.

Files obtained during a DigBoston investigation reveal that as the tool searches databases, it alerts department operators if a plate is connected to a person on a hotlist. These lists are created by fusing criminal intelligence from sources like the FBI’s National Crime Information Center and the AMBER Alert program, as well as from data furnished by banks, collection agencies, and the civil court system.

In Boston, a city of approximately 600,000 people, parking enforcement has one hotlist with 720,000 hits, each of which notes a plate number, location info, and available make and model data. Among the targets listed in August: 19 license numbers classified as “immediate threats,” nearly 4,000 affiliated with “wanted persons,” 25 plates linked to bad checks, 75 tied to payment defaults, and 468,617 flagged for cancelled insurance. Also exposed were 2,500 hits on a “Gang/Terrorist Watch."