Personal data belonging to users of York council’s environmental app has been accessed by a unauthorised third party, it has emerged this weekend.
City of York Council has contacted police and has permanently taken down its One Planet York app, following the major security breach.
The app supported the council’s broader One Planet York programme, which seeks to reduce waste and improve the city’s environmental performance, but a third party contacted the council on November 1 to tell staff they had accessed users’ data.
A council spokesman said 5,994 records are contained in the app and could have been breached.
Ian Floyd, the council’s deputy chief executive and corporate director of customer and corporate services, has emailed users.
He told them they should delete the app from their own device.
Deep regret
In his letter, which has been passed on to YorkMix, he wrote:
-
On 1 November 2018, a third party contacted the council and told us they had found a way to access personal data of those people who use the One Planet York app.
The data accessed included personal information such as your name, address, postcode, email and telephone together with your encrypted password.
To our knowledge, the data accessed did not include any further sensitive information. In addition, the One Planet York is isolated from other council systems and therefore unable to access other personal data.
He added: “We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.
“This is to prevent a recurrence of such an attack, and to protect the privacy of residents and users of the app. We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device.
“We have notified the police of this deliberate and unauthorised access by a third party.”
The council has also issued a Q&A about the breach – see below.
The One Planet app
The winning idea from Appware was focused on waste and recycling and after several pitches, Appware were chosen as the winners and began working on the idea with staff at the council.
The app allowed residents to easily check their next waste and recycling collection date. Users could also scan household products with a barcode to see if they are currently able to be recycled.
Users gained ‘Planet points’ when they scan items ranking them against other app users.
At its launch in June 2016, Cllr Andrew Waller, executive member for the environment, said:
-
The One Planet York app is a great way for residents to hopefully become more environmentally friendly with handy hints and tips to help them increase their recycling.
This will help York in our aim to become the Greenest City in the North and our plans to become a One Planet Council.
App Q&A
The council has also sent a Q&A with its letter. This is an excerpt from that document:
What a joke “We cannot say for certain what the third party responsible has done with the data.” The party ‘responsible’ for the data breach was the Council who commissioned the app and didn’t have it tested properly. The poor person who they say “was behind the deliberate unauthorised access” simply noticed the problem and let them know! Useless idiots!
A typical council response to blame the person who found a vulnerability rather than thanking them for not publicly sharing it and in the process of finding the issue has potentially protected many users some which may be vulnerable.
The chances are that these were “grey hat” hackers that look for vulnerabilities, then claim a “bug bounty” to disclose the flaws found. they really should have had the app and API tested by a professional outfit before being released. sadly very few organizations bother until something like this happens.
Why didn’t the Council
a) make this known earlier and
b) look at fixing the security issue rather than simply throwing in the towel and giving up on the app? It was a very useful resource.
Agree with this, why just walk away from something that was really innovative and useful. No other council had something like this and it had huge potential to be developed further. Whilst the data breach is serious and needs addressing, abandoning the app altogether displays a total lack of vision and ambition.