The recent York Council data breach led to the information for almost 6,000 people being exposed due to a coding vulnerability.
A computer expert happened upon the vulnerability in the ‘One Plant York’ app. He did the right thing and reported the breach to York Council, who then bizarrely reported him to the police. It’s understood that the expert had alerted the Council in efforts to make them aware, so the issue could be resolved.
The police matter aside, the result is that the data for almost 6,000 people has been left exposed. If one expert happened upon it, who’s to say someone else isn’t already aware of it, and hasn’t already been exploiting it?
About the York Council data breach
The York Council data breach stemmed from a vulnerability in the code for their One Planet York app. This app is used as pat of their waste reduction plans and for the overall improvement of their environmental performance.
The app has since been taken down after the discovery of the data breach.
What data has been exposed in the York Council data breach?
The data exposed in the York Council data breach is user information that had been supplied during the sign-up process for the app.
This is said to include:
- User IDs;
- Passwords (in encrypted format);
- Email addresses;
- Telephone numbers;
- Property references;
- Certain settings;
- ‘Planet points’ – a feature within the app.
The expert who identified the breach sent a spread of redacted data to the council in efforts to notify them that they had a code vulnerability. Although the Council has since thanked the expert for their notification, they initially reported him to the police. They’ve yet to issue an apology to him, it’s understood.
What’s being done about the York Council data breach
A number of actions have been taken after the discovery of the York Council data breach.
The app has been taken down, and the breach has been referred to the ICO. The ICO will likely open a case and investigate the matter.
Users of the app are also being notified. A letter from York Council stated as follows:
On 1 November 2018, a third party contacted the council and told us they had found a way to access personal data of those people who use the One Planet York app.
The data accessed included personal information such as your name, address, postcode, email and telephone together with your encrypted password.
To our knowledge, the data accessed did not include any further sensitive information. In addition, the One Planet York is isolated from other council systems and therefore unable to access other personal data.
Another council data breach…
The York Council data breach is yet another council data breach. Once again, on the face of it, the breach appears to have been very preventable.
Council data breach claims are common ones our lawyers help people with.
One coding vulnerability has put the private data of almost 6,000 people at risk. We don’t yet know whether it had been accessed by anyone with more sinister intentions.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.