The City of York has come under heavy criticism for its handling of a breach report in a recycling app.
Instead of fixing a responsibly disclosed problem with its One Planet York app, the local council pulled the app and reported the matter to the police, rather than going straight to data privacy watchdogs at the Information Commissioner’s Office (ICO).
The council told The Daily Swig that it acted in this way as a precaution, because the reporting parties failed to respond to following up queries, leaving the local government authority unsure of their motives.
North Yorkshire Police’s Digital Investigation & Intelligence Unit has defended the actions of the security researcher in dismissing the City of York’s data breach report. “We are aware of the York ‘data breach’ but please be reassured we don’t regard this incident as criminal,” it said in an update to its official Twitter account. “We recognise the benefits of software vuln disclosure as part of a healthy security environment and the researcher has acted correctly.”
The firm behind the discovery, Leeds-based RapidSpike, published details of the vulnerability and a timeline of its disclosure on Tuesday. "The One Planet York app: it was sending the personal details of its users, to other users of the app, whenever the 'Leaderboard' page was selected," RapidSpike explained.
RapidSpike goes on to provide a detailed timeline and screenshots of emails that refutes the City of York's contention on Monday that it went to the police because the finders of the flaw was unresponsive to its follow-up requests. RapidSpike states it followed the City of York's disclosure guidelines.
Mobile security expert David Rogers, a visiting professor at York St John University, has offered to school City of York staff how to deal with security researchers, free of charge.
The One Planet York mobile app allowed residents to check up on their next waste and recycling collection date. Users could also scan the barcode on the tins or containers of food and household products to see whether or not it was currently possible to recycle them.
A recently disclosed API coding flaw with the app exposed all manner of personally information, including the address, postcode, email address, and phone number of around 6,000 users.
Passwords “stored in an encrypted format” were also exposed. Whether this means hashed or not is unclear.
The City of York only became aware of the problem after an unnamed third party emailed it with an extract from the database of the user records for the One Planet York app. The council characterized this as “deliberate unauthorised access” even though no money accompanied what would appear to be a friendly warning.
“A third party, who we believe was behind the deliberate unauthorised access, shared a small, redacted sample of the information they had extracted,” the council explained in an FAQ on the breach, supplied to a local paper.
“Their email stated they provided this information to make us aware of the issue and enable us to address it.”
“We cannot say for certain what the third party responsible has done with the data. They notified us of the vulnerability and have not requested anything in return which suggests they are someone who looks for data vulnerabilities in the public interest,” it added.
The council decided that the best way to safeguard residents’ data was to permanently withdraw the app and call in the cops, according to the FAQ (obtained by a local paper and not directly available via the City of York's website).
We took key elements of the app offline as soon as our data protection team were made aware of it whilst we conducted our internal investigations. We are unable to remove this app from user’s personal devices and taking the app offline was the most expedient way to minimise further risk to our users. We have contacted the third party and asked them to securely delete all data taken from the app. Given this constitutes illegal access to other people’s personal information we have also notified the police and will not be reinstating the app.
Even though the app has been pulled, users are still been advised to change passwords as well as uninstalling it from their phones. Other City of York apps and systems are not affected by the problem, the council was keen to emphasize. “This app is isolated from council systems and not linked to any other systems we host,” it concluded.
The infosec community has united in criticising the City of York for treating the individuals who reported problems with its systems like criminals.
Helme discovered that the notification came in the form of a PDF attachment to an email from the City of York with the subject line ‘One Planet York app’ – bad practice since consumers are cautioned against opening unsolicited PDF messages. He also noted that the notification should have been sooner, in order to meet the 72-hour disclosure deadline imposed with the introduction of GDPR.
“Notification was given to them on 1st Nov, the PDF is dated 16th Nov and the email was sent 18th Nov, meaning 17 days for notification to users,” Helme said in a Twitter update. “That’s not too bad, at least they notified, but this should have taken place sooner really.”
During a thread on Twitter, Helme explains that he is only criticising the council in order to help others learn from its mistakes in handling the incident as well as extending an offer to help, if anyone from the City of York wanted to get in touch.
UK infosec practioneer Kevin Beaumont summed up the feeling of many of his peers in response to the City of York's handling of the matter. “Imagine being the researcher who told them privately, to get a reply saying we’ve told the police about you,” he said in a Twitter update.
The City of York maintains that it has acted appropriately, despite this criticism. “Just to confirm, we notified the ICO and the police following the data breach, in line with national guidance,” the City of York said in a post to its official Twitter account. “We continue to cooperate with both investigations.”
A City of York council spokeswoman told The Daily Swig: “The app and associated servers were taken down within three hours of the vulnerability being identified. A thorough investigation was then carried out to ascertain what data had been breached, and as a result, our confidence in supporting the app. We made a decision to permanently remove the app and at that point we wrote to customers with full details and advice about how they should respond.”
“After being informed by a third party about the data breach we tried to contact them to both confirm their motives and understand their actions. Despite attempts to contact them, they did not respond and as a result of what appears to be a deliberate and unauthorised access, we informed the police. The ICO was also informed.”
An ICO spokesperson said: “The City of York Council has made us aware of an incident and we are making enquiries.”
The orphaned One Planet York app page tells users to remove the software and reset passwords. There’s no mention of the breach or a copy of the breach notice on the City of York’s website.
The offending app was put together by Leeds-based software house Appware. The Daily Swig asked for confirmation on this and comment on whether other apps using the same code also need remediation.
There’s no word back from this as yet but we’ll update this story as and when more information comes to hand.
This article was updated on Tuesday to include comments from flaw finders at RapidSpike and local mobile security expert David Rogers.