A computer expert who happened upon a major security flaw in a York council app did the right thing, and reported it to the authority.
But instead of council chiefs publicly thanking him – they reported him to police.
Their response has been condemned as “shockingly bad” and “disgraceful” by national data security experts, among them a Microsoft director and the BBC’s ‘hacker in chief’.
Belatedly the council has thanked the original whistleblower for alerting them to the problem. But they haven’t issued an apology.
And their handling of the case may have breached GDPR rules, and is the subject of an external investigation by the Information Commissioner’s Office (ICO).
A City of York Council spokesperson told us: “The One Planet York app data breach is now an ICO case. As a result it would be inappropriate for us to comment about information they will be looking into further.”
We have asked the council specific questions about the incident, and their full answers are below.
Major data breach
Ian Floyd, the council’s deputy chief executive and corporate director of customer and corporate services, emailed those users to tell them to delete the app.
And he wrote: “We have notified the police of this deliberate and unauthorised access by a third party.”
But now it has emerged that the ‘third party’ was a developer working with digital experts Rapid Spike.
And he:
- discovered the fundamental security weakness before it could be exploited by an attacker
- acted in good faith in alerting the council, in accordance with accepted industry practice
- followed City of York Council’s own procedures on reporting a security flaw
- was thanked by council officials via email soon after reporting the problem
- was quickly exonerated by police, who said he ‘acted correctly’.
The council said they called the police because they tried to contact the informant but ‘they did not respond’. In fact, the developer concerned responded within 18 minutes of receiving the first email from the council, and within a few hours of another email sent the following day.
You can read the timeline on the Rapid Spike blog here.
‘Goodwill down the toilet’
Troy called the council response “shockingly bad”:
The details on the @CityofYork "data breach" are now clear and wow, this has to be aired because the handling of it was *shockingly* bad. Start by reading the @rapidspike response here (it was one of their developers that reported this): https://t.co/axFlXB2liJ
— Troy Hunt (@troyhunt) November 27, 2018
While Scott said the council had tried “to flush all good will and respect from security researchers and the wider community down the toilet”:
Local government department tries to flush all good will and respect from security researchers and the wider community down the toilet. https://t.co/f6QUN5AV52
— Scott Helme (@Scott_Helme) November 26, 2018
“To frame this as they have is, quite frankly, disgraceful,” he said.
And the police quickly dismissed the case against the whistleblower:
@troyhunt @Scott_Helme We are aware of the York 'data breach' but please be reassured we don't regard this incident as criminal. We recognise the benefits of software vuln disclosure as part of a healthy security environment and the researcher has acted correctly.
— N Yorks DIIU (@NYPDIIU) November 26, 2018
On the face of it, the council has also broken General Data Protection Regulation (GDPR) rules. The flaw was reported to them on October 27.
But Mr Floyd didn’t write to users till November 17, 21 days later. The alert should have gone out within the 72-hour disclosure deadline imposed by GDPR.
We have put all these points to City of York Council. Their answers are below.
What City of York Council says
