Not every data exposure is a dramatic hack. Some of the most common come from a simple weakness: a web address that quietly trusts whatever record number you put in it.
Reports in 2025 described this pattern affecting parking customer records. The safest way to describe it is a broken-access-control, or URL-enumeration, weakness.
1. You open your own invoice
invoice.example/record/1001
2. You change the record number in the address
invoice.example/record/1002
3. Someone else's invoice loads
A different customer's details are shown
What this measures: A broken-access-control (URL-enumeration) pattern. The addresses and details below are fabricated placeholders, not real data.
Source: heise online, May 2025
Because the page checks the record number but not who is asking, changing one digit can reveal a stranger's information. The reports referred to affected records in Germany, Denmark, Poland and Ireland. The operator's wider airport work gives context, but does not establish that every system was affected.
We have used invented placeholders throughout. No real address, number plate or personal detail is shown, and none should be when writing about a flaw like this.
