Islington Council in North London is facing an investigation after it sent out emails to residents applying for parking bay suspensions demanding their full credit card details - tapped-in to a plain-text Microsoft Word application form.
The credit card details demanded by Islington Council included the main 16-digit number, expiry date and even the three-digit CVV code, together with full names and addresses - not only everything a credit card thief could possibly need to drain an applicant's account, but putting them at risk of identify theft, too.
The form has now been withdrawn and an internal investigation launched.
All the information a hacker would dream of having all packaged up in one relatively easy to access place
The email almost certainly breaks the General Data Protection Regulation (GDPR), which came into force last month, and could attract a large fine for Islington Council from the Information Commissioner's Office (ICO).
However, the nature of the communication also indicates a worrying lack of infrastructure at the Council for spinning up websites capable of securely taking payments for services, as well as a lack of understanding of basic security.
Rashmi Knowles, field chief technology officer for RSA Security wasn't impressed: "Asking for financial information in a plain-text word document is, frankly, shocking and the council should really know better.
"This is a serious breach of PCI [Payment Card Industry] security rules, and could potentially fall foul of GDPR as well. Not only has Islington Council asked for card numbers, but also the holder's name, start and expiry dates and even the security code on the back of the card.
"In short, all the information a hacker would dream of having all packaged up in one relatively easy to access place. This type of information should always be encrypted, otherwise, it is very easy for a hacker to obtain.
"People will often put a lot of trust in councils and assume they know best, but this is a good example of the need for us all to be vigilant. If you are ever asked to provide this kind of information, always stop to ask questions and never share such information if it is not encrypted, even if it is a trusted partner that is asking you to."
Children as young as four to be taught about the dangers of social media
Bans already issued to hundreds of players who used offensive language
The site is perfectly situated for launching small satellites into orbit
Delegates at the ESOF 2018 conference were warned that their perceptions of the digital age were coloured by private industry