• Skip to primary navigation
  • Skip to main content
  • Skip to footer

News and entertainment worth sharing – York and North Yorkshire

  • News
  • Things to do
  • Radio
  • Vouchers
  • Categories
    • Business
  • More
    • Comments
    • Advertise
    • Contact us
Harrowells York
Harrowells York
Harrowells York

He alerted York council to a massive security flaw. They reported him to the police

Photograph: Storres Jayr on Unsplash
Wednesday 28 November, 2018 @ 8.38 pm News, Politics YorkMix
Share via...

A computer expert who happened upon a major security flaw in a York council app did the right thing, and reported it to the authority.

But instead of council chiefs publicly thanking him – they reported him to police.

Their response has been condemned as “shockingly bad” and “disgraceful” by national data security experts, among them a Microsoft director and the BBC’s ‘hacker in chief’.

Cycle Heaven York
Cycle Heaven York
Cycle Heaven York
Cycle Heaven #ad

Belatedly the council has thanked the original whistleblower for alerting them to the problem. But they haven’t issued an apology.

And their handling of the case may have breached GDPR rules, and is the subject of an external investigation by the Information Commissioner’s Office (ICO).

A City of York Council spokesperson told us: “The One Planet York app data breach is now an ICO case. As a result it would be inappropriate for us to comment about information they will be looking into further.”

We have asked the council specific questions about the incident, and their full answers are below.

Major data breach

The One Planet York app. Photograph: Appaware
On November 18 YorkMix broke the news that phone app One Planet York had a serious security flaw, and was revealing the personal details of nearly 6,000 users.

Ian Floyd, the council’s deputy chief executive and corporate director of customer and corporate services, emailed those users to tell them to delete the app.

And he wrote: “We have notified the police of this deliberate and unauthorised access by a third party.”


But now it has emerged that the ‘third party’ was a developer working with digital experts Rapid Spike.

And he:

  • discovered the fundamental security weakness before it could be exploited by an attacker
  • acted in good faith in alerting the council, in accordance with accepted industry practice
  • followed City of York Council’s own procedures on reporting a security flaw
  • was thanked by council officials via email soon after reporting the problem
  • was quickly exonerated by police, who said he ‘acted correctly’.

The council said they called the police because they tried to contact the informant but ‘they did not respond’. In fact, the developer concerned responded within 18 minutes of receiving the first email from the council, and within a few hours of another email sent the following day.

You can read the timeline on the Rapid Spike blog here.

‘Goodwill down the toilet’

Photograph: Priscilla Du Preez on Unsplash
Among those expressing concern about the way York council handled the issue are Microsoft regional director and online securty expert Troy Hunt, and Scott Helme, researcher and ‘BBC hacker in residence’.

Troy called the council response “shockingly bad”:

The details on the @CityofYork "data breach" are now clear and wow, this has to be aired because the handling of it was *shockingly* bad. Start by reading the @rapidspike response here (it was one of their developers that reported this): https://t.co/axFlXB2liJ

— Troy Hunt (@troyhunt) November 27, 2018

While Scott said the council had tried “to flush all good will and respect from security researchers and the wider community down the toilet”:

Local government department tries to flush all good will and respect from security researchers and the wider community down the toilet. https://t.co/f6QUN5AV52

— Scott Helme (@Scott_Helme) November 26, 2018

“To frame this as they have is, quite frankly, disgraceful,” he said.

And the police quickly dismissed the case against the whistleblower:

@troyhunt @Scott_Helme We are aware of the York 'data breach' but please be reassured we don't regard this incident as criminal. We recognise the benefits of software vuln disclosure as part of a healthy security environment and the researcher has acted correctly.

— N Yorks DIIU (@NYPDIIU) November 26, 2018

On the face of it, the council has also broken General Data Protection Regulation (GDPR) rules. The flaw was reported to them on October 27.

But Mr Floyd didn’t write to users till November 17, 21 days later. The alert should have gone out within the 72-hour disclosure deadline imposed by GDPR.

We have put all these points to City of York Council. Their answers are below.

What City of York Council says

City of York Council’s West Offices. Photograph: YorkMix
Why didn’t the council act sooner – it was notified of the breach on October 27, but only told users on November 17?
CYC answer: Once we were informed by a third party about the data breach we tried to contact them to both confirm their motives and understand their actions. Despite attempts to contact them, we did not receive their responses and as a result of what appears to be a deliberate and unauthorised access we reported the incident to the police so they could investigate whether a crime had been committed.


Does the council agree that this delayed action is in breach of GDPR rules?
As this is now an ICO case, it is not appropriate for us to respond to questions that will be looked at by ICO.



Why did the council say they couldn’t contact the third party who informed them of the data breach, when there is email correspondence between the council and the informant, including one reply within 18 minutes of the council getting in touch?
The third party has used Sender Policy Framework (SPF) settings on their mail server. This means that any email sent from them must be to certain IP addresses otherwise it will be treated as not legitimate and will be dropped. This is to stop spoofing of their email address, ie the email doesn’t come from a recognised IP address then it will be treated as not legitimate. The first email was successfully received by the council because at that point CYC specialist security checking was not activated. All subsequent responses were not received because they failed the security check and were dropped as the third party’s own security settings told our security settings not to trust it.


As the council had been in contact with the informant, why did they report him to the police?
Once we were informed by a third party about the data breach we tried to contact them to both confirm their motives and understand their actions Despite attempts to contact them, we did not receive their responses and as a result of what appears to be a deliberate and unauthorised access we reported the incident to the police so they could investigate whether a crime had been committed.


Why did the council ignore the UK Government’s National Cyber Security Centre advice, and the International Standard framework for vulnerability disclosure?
As this is now an ICO case, it is not appropriate for us to respond to questions that will be looked at by ICO.


Is the council holding its own investigation into the data breach – and what are the terms?
As this is now an ICO case, it is not appropriate for us to respond to questions that will be looked at by ICO.




3 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jon jones
3 years ago

Two words

Ass covering

0
Barry Wilkinson
3 years ago

Ian Floyd .time to resign .Very bad treatment to all concerned !

0
Andrew
3 years ago

Clear GDPR breach and almost textbook example of what not to do.

0

Footer

YorkMix
News 01904 848 766
Email YorkMix news »
5-6 King's Court, Shambles, York  YO1 7LD
YorkMix Radio
General enquiries 01904 375 029
Studio/competitions 01904 375 030
Email YorkMix Radio »
Selby Superbowl, Bawtry Road, Selby  YO8 8NA
YorkMix is a trading name of YorkMix Media Ltd
Registered in England
Company number: 07814727
VAT number: 154 0364 34
© York Sound Ltd

Copyright © 2022 YorkMix Media Ltd

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
wpDiscuz