UK cops won’t go after researcher who reported security issue to York city officials
North Yorkshire Police said today they’re not pursuing a criminal case against the researcher who found a vulnerability in a mobile app developed by the York city council.
City officials had reported the researcher to police earlier this month, but North Yorkshire Police said “the researcher has acted correctly.”
The existence of this police report against the yet-to-be-named researcher came to light last week when York authorities disclosed a data breach affecting “One Planet York,” a mobile app developed by the city to help with scheduling waste collection pickups.
In an email sent to the mobile app’s users, York city officials said a “third-party” had accessed and downloaded data from its mobile app’s backend via a vulnerability in the app’s API (application programming interface).
They said the vulnerability allowed the third-party to collect info such as names, home addresses, postcodes, email addresses, telephone numbers, and encrypted passwords. The app had 5,994 users, city authorities said.
Officials reacted by discontinuing the One Planet York app, taking down download links from the city’s website, removing the app from the Play Store, and advising users to remove it from their phones.
“A third party, who we believe was behind the deliberate unauthorised access, shared a small, redacted sample of the information they had extracted,” said city officials in an FAQ section included with the breach notification email. “Their email stated they provided this information to make us aware of the issue and enable us to address it.”
“We cannot say for certain what the third party responsible has done with the data,” York officials added. “They notified us of the vulnerability and have not requested anything in return which suggests they are someone who looks for data vulnerabilities in the public interest.”
Nevertheless, despite admitting that the person who reported the issue didn’t have any malicious intent, city officials reported the intrusion into its systems to police.
But York city officials came under heavy criticism today from the IT security community after last week’s breach notification was resurfaced by prominent infosec pundit Troy Hunt, of Have I Been Pwned fame.
Most people were outraged that city officials weren’t gracious enough to thank the researcher for their work and good will but instead filed a police report. Other security researchers likened the incident to getting punched in the face after returning a lost wallet to its owner.
The good news is that North Yorkshire Police is not taking the York City Council report seriously.
“We are aware of the York ‘data breach’ but please be reassured we don’t regard this incident as criminal,” said a North Yorkshire Police spokesperson today. “We recognise the benefits of software vulnerability disclosure as part of a healthy security environment and the researcher has acted correctly.”
However, not all members of the security community criticized York city officials. Katie Moussouris, Founder and CEO of Luta Security, suggested that city officials were most likely doing their due diligence in the wake of an unauthorized penetration test.
Security researchers are supposed to ask for permission before performing intrusive vulnerability testing. All professionally-organized bug bounty and vulnerability disclosure programs prohibit pen-testers from downloading personally identifiable information (PII) (aka user data) onto their personal computers due to the legal complications that arise from this action. It’s these legal complications that York city officials are most likely navigating, Moussouris suggested.
“We have requested [the third party] securely delete all traces of the data from their systems,” city officials said in the FAQ section included in the breach notification email –somewhat indirectly confirming Moussouris’ theory.
A York City Council official did not respond to a request for comment for this article.
In addition, York city officials were also criticized today for filing a police report but not notifying the Information Commissioner’s Office, the UK’s privacy and data breach watchdog. But in an email to Tech News today, the ICO confirmed that York officials had reported the incident, which is now under investigation.