A data breach notification from the City of York has gone awry as new details shed light over the incident, revealing a completely inappropriate response to a responsible disclosure of a vulnerability potentially affecting thousands of users.

On November 16, the City of York Council informed users of the One Planet York waste management mobile app that a third party found a way to access sensitive information belonging to them such as their names, address, email address, phone number, postcode and a hashed version of the login password, along with the salt information.

Blaming the responsible party

The council went beyond taking the appropriate steps to minimize the danger to the users and reported the third-party to the police for illegal access to other individual's personal information, despite stating that the individual that reported the problem asked nothing in return and stated that "they provided this information to make us aware of the issue and enable us to address it."

The police did not treat the matter as a criminal offense since the details provided by the City of York clearly indicated that the report was made in good faith. It turned out that the disclosure came from a developer at tech company RapidSpike, who followed the responsible disclosure protocol from the City of York Council.

After researchers Troy Hunt and Scott Helme drew attention to the problem of the risk of potential legal trouble to the responsible party for doing the right thing, the North Yorkshire Police's Digital Investigation & Intelligence Unit tweeted that the researcher acted correctly.

It was a design flaw, no illegal access necessary

RedSpike released a statement yesterday, clarifying how things developed on their part. The vulnerability was a glaring privacy gap in the design of the app that leaked the private details of One Planet York users to anyone using the app legitimately.

"Accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app," RedSpike says.

The company emphasizes that despite having access to the password salt information, the developer did not use the data to compromise or access the Council's servers.

"We must be really clear at this point: our developer did not manipulate any requests. The app simply transmitted this personal data as a response to the GET request for the ‘Leaderboard’ page. This personal data was sent to any user of the app when they browsed that page."

The Council thanks the developer, no apologies needed

Following the report from the RedSpike developer on One Planet York app exposing personal data, the City of York Council said it reached out to ask that any information collected during the research be destroyed.

The developer replied on the same day, confirming that they had no data stored, so there was nothing to destroy.  It appears that the Council did not get the message at that time and considered the matter "a deliberate and unauthorized access" that needed to be brought to the police.

In a tweet today, the Council admits that there was a technical problem that prevented the emails from reaching their destination and that the individual's action was well intended.


Related Articles:

Taxpayer ID Numbers for 120 Million Brazilians Exposed Online

Netbooks, RPis, & Bash Bunny Gear - Attacking Banks from the Inside

Unprotected MongoDB Exposes Scraped Profile Data of 66 Million

Marriott Data Breach Affects 500 Million Starwood Guests

SKY Brasil Exposes 32 Million Customer Records