[BreachExchange] UK cops won't go after researcher who reported security issue to York city officials

[Destry Winant]

https://www.zdnet.com/article/uk-cops-wont-go-after-researcher-who-reported-security-issue-to-york-city-officials/

Most people were outraged that city officials weren't gracious enough
to thank the researcher for their work and good will but instead filed
a police report. Other security researchers likened the incident to
getting punched in the face after returning a lost wallet to its
owner.

The good news is that North Yorkshire Police is not taking the York
City Council report seriously.

"We are aware of the York 'data breach' but please be reassured we
don't regard this incident as criminal," said a North Yorkshire Police
spokesperson today. "We recognise the benefits of software
vulnerability disclosure as part of a healthy security environment and
the researcher has acted correctly."

"There are times when 'researchers' overstep the mark but this is not
one of those. We'd rather work with public-spirited individuals and
share learning than criminalise people who act in good faith."

However, not all members of the security community criticized York
city officials. Katie Moussouris, Founder and CEO of Luta Security,
suggested that city officials were most likely doing their due
diligence in the wake of an unauthorized penetration test.

https://www.zdnet.com/article/uk-cops-wont-go-after-researcher-who-reported-security-issue-to-york-city-officials/

North Yorkshire Police said today they're not pursuing a criminal case
against the researcher who found a vulnerability in a mobile app
developed by the York city council.

City officials had reported the researcher to police earlier this
month, but North Yorkshire Police said "the researcher has acted
correctly."

The existence of this police report against the yet-to-be-named
researcher came to light last week when York authorities disclosed a
data breach affecting "One Planet York," a mobile app developed by the
city to help with scheduling waste collection pickups.

In an email sent to the mobile app's users, York city officials said a
"third-party" had accessed and downloaded data from its mobile app's
backend via a vulnerability in the app's API (application programming
interface).

They said the vulnerability allowed the third-party to collect info
such as names, home addresses, postcodes, email addresses, telephone
numbers, and encrypted passwords. The app had 5,994 users, city
authorities said.

Officials reacted by discontinuing the One Planet York app, taking
down download links from the city's website, removing the app from the
Play Store, and advising users to remove it from their phones.

"A third party, who we believe was behind the deliberate unauthorised
access, shared a small, redacted sample of the information they had
extracted," said city officials in an FAQ section included with the
breach notification email. "Their email stated they provided this
information to make us aware of the issue and enable us to address
it."

"We cannot say for certain what the third party responsible has done
with the data," York officials added. "They notified us of the
vulnerability and have not requested anything in return which suggests
they are someone who looks for data vulnerabilities in the public
interest."

Nevertheless, despite admitting that the person who reported the issue
didn't have any malicious intent, city officials reported the
intrusion into its systems to police.

But York city officials came under heavy criticism today from the IT
security community after last week's breach notification was
resurfaced by prominent infosec pundit Troy Hunt, of Have I Been Pwned
fame.

Most people were outraged that city officials weren't gracious enough
to thank the researcher for their work and good will but instead filed
a police report. Other security researchers likened the incident to
getting punched in the face after returning a lost wallet to its
owner.

The good news is that North Yorkshire Police is not taking the York
City Council report seriously.

"We are aware of the York 'data breach' but please be reassured we
don't regard this incident as criminal," said a North Yorkshire Police
spokesperson today. "We recognise the benefits of software
vulnerability disclosure as part of a healthy security environment and
the researcher has acted correctly."

"There are times when 'researchers' overstep the mark but this is not
one of those. We'd rather work with public-spirited individuals and
share learning than criminalise people who act in good faith."

However, not all members of the security community criticized York
city officials. Katie Moussouris, Founder and CEO of Luta Security,
suggested that city officials were most likely doing their due
diligence in the wake of an unauthorized penetration test.

Security researchers are supposed to ask for permission before
performing intrusive vulnerability testing. All
professionally-organized bug bounty and vulnerability disclosure
programs prohibit pen-testers from downloading personally identifiable
information (PII) (aka user data) onto their personal computers due to
the legal complications that arise from this action. It's these legal
complications that York city officials are most likely navigating,
Moussouris suggested.

"We have requested [the third party] securely delete all traces of the
data from their systems," city officials said in the FAQ section
included in the breach notification email --somewhat indirectly
confirming Moussouris' theory.

A York City Council official did not respond to a request for comment
for this article.

In addition, York city officials were also criticized today for filing
a police report but not notifying the Information Commissioner's
Office, the UK's privacy and data breach watchdog. But in an email to
ZDNet today, the ICO confirmed that York officials had reported the
incident, which is now under investigation.

Update on November 27, 10:40am ET: Cyber-security firm RapidSpike has
revealed that they are the "third party" who reported the
vulnerability to the York city officials. In a blog posttoday, the
company denied any "unauthorized access" and explained that the app
was so poorly coded that its backend was sending other users' data to
any user accessing the Leaderboard section.