Upgrade error exposes taxpayers' data

Lambeth Council is demanding answers after a software update to its council tax system resulted in credit card details and personal information being sent as plain text in emails

The security of Lambeth Council's online council tax payment system was compromised last week, after a routine software upgrade.

The glitch led to personal details of local residents who used the service being emailed across the Internet as plain text. This included credit card numbers, card expiration dates and council tax numbers.

Speaking to ZDNet UK, one Lambeth resident said he had paid his council tax to Lambeth Council last Thursday using the online payments system provided by Capita.

According to the resident, the system worked well until he was sent a confirmation email, which contained his council tax number, card number, his name, expiration date, authorisation code, email address and the merchant's number, all in plain text in an email.

The resident immediately emailed the council pointing out that his details had "been exposed, against all good security practice". He received a prompt reply, but not an apology, from the contract manager at Lambeth Council, who explained the "problem existed for a short time only after an upgrade to the software".

The problem came about when the "STOP function that anonymises credit card details" was turned off during the upgrade, the contract manager said.

A spokeswoman for Lambeth Council told ZDNet UK that she had been told by Capita that the system was affected for two days and that it happened when the system "did not apply a mask that should cover the numbers".

The spokeswoman could not say how many residents had been affected by the fault. "We have asked [Capita] but they have not been able to tell us yet", she said on Tuesday, four days after the fault was first reported.

It was "unacceptable for this information to be displayed" the spokeswoman said, adding that the council had been reassured by Capita that adjustments had been made to the software so that the situation "could not happen again".

In May 2001, Lambeth Council cut short a £48m contract to outsource its benefits system to Capita claiming that the system of paying benefits had deteriorated over the previous four years.