Sanral’s e-tolling website allows anyone with an Internet connection to check the e-toll balance of any vehicle for which they have the license plate number.
When the Sanral e-toll URL to check outstanding fees is loaded for the first time, users are redirected to a “customer login page”.
However, by simply reloading the page the user gets taken to a “Payment of toll fees for unregistered users” page from which any vehicle’s outstanding toll fees can be checked.
URL to check outstanding e-toll fees
Jacobson Attorneys’ founder and principal attorney Paul Jacobson said that the ability to openly check someone else’s e-toll bill is a problem.
“License plate details are essentially public, so enabling anyone with a license plate number to check e-toll balances without some other form of verification is placing a fair amount of personal information in the hands of people who should not have access to it,” said Jacobson.
“I don’t see any reason why Sanral shouldn’t take steps to require users to log-in with an email address and password, for example, or if there is an SMS facility, authenticate with the MSISDN,” he added.
Jacobson said that the information made available includes names, ID numbers and other details this could be disastrous and is a very poorly conceived model.
“It would likely fall foul of the Protection of Personal Information Act which requires that personal information be adequately secured,” said Jacobson.
Sanral was asked for comment, but the company could not answer questions within a few days because of the “the technical investigation that needs to be done”. Full Article