A London council’s data protection efforts are under review after it told residents to email in their payment card details for parking bay suspensions via a Word document.
Islington Council had required residents to share the security code from the rear of their cards, as well as their address, among other details.
One security expert said this appeared to be a breach of the payment card industry’s security rules.
The system has now been suspended.
“We have begun an internal investigation into the process of applying for and paying for parking bay suspensions,” a spokeswoman for the local authority told the BBC.
“In the short term, we have removed that form from our website.”
The Local Government Association said it was not currently aware of any other incidents like this.
The matter came to light after one resident contacted the council in order to secure a spot outside his home for a furniture-moving service.
“I was really surprised that they were collecting credit card details over email, because email isn’t secure,” said Dafydd Vaughan, who works for a technology consultancy.
“If something happened and the details were leaked, they could be used by other people, and the bank would hold me responsible for sending my details in an insecure way.
“I asked the council if I could pay online or over the phone, but was told that email was the only option.”
One cyber-security expert said that Islington Council appeared to have violated a requirement that payment cards’ security codes never be stored by third-parties.
Scott Helme added that there were also several other ways to transmit the other payment information more securely.
“I hope the council will take steps to ensure they properly erase any historic data they have collected in this fashion and notify those involved of any risk they may face,” he said.
“We need to know how many staff had access to these emails, could copies have been made, were they properly erased after use, or are they still stored.
“It will be interesting to see what steps will be taken to prevent incidents like this in the future given this seems to be the only way that constituents had to access and pay for this service.”
The Payment Cards Industry (PCI) – which represents Visa and Mastercard among other issuers – sets rules for organisations that store, process and transmit cardholders’ data.
However, it is up to the individual companies to enforce compliance.
The EU’s General Data Protection Regulation (GDPR) also introduced a legal requirement that “appropriate technical” measures be taken by organisations when handling such details.
“All organisations processing personal data have a responsibility to do so safely and securely,” commented a spokesman for the Information Commisioner’s Office.
“If anyone has concerns about how their data has been handled, they can make a complaint to the ICO.”