IAA Drone Registry Security Error

Today I got an email from the Irish Aviation Authority, letting me know that an error on their drone registry site gave registered users access to everyone else’s details. While the error has since been fixed, they said that the accessible data “included names, addresses, email addresses and phone numbers.” Not good. The email specifies that the IAA became aware of the error in Sunday night, though doesn’t say for how long this has been the case. So presumably it’s possible this has been the case since the system was established months ago. The email does say that there was no leak of financial information, although that’s not a massive reassurance.

Pretty much any drone that meets the criteria to require being registered is going to be worth a few hundred euros, and many if not most will be valued in the thousands. That means that the names and addresses that were accessible are pretty much a map to houses containing expensive gear. I really don’t like the idea of that, and their warning that “If you (or anyone you know) has inadvertently downloaded this file, please be aware that you are obliged to destroy the material in accordance with the Data Protection Act 1988” doesn’t really put me at ease. 

For the record, I completely agree with drone registration.1 However if any other website I use had an issue like this I’d likely unregister, or at least remove any personal details I don’t want vulnerable in future. Since it’s mandated in this case, though, I’m stuck leaving them as-is. With that in mind, I find it pretty inexcusable to let an error like that slip through.

  1. It’s probably only a matter of time until someone causes a serious accident due to carelessness, and it’s important that they be traceable.