A computer expert who happened upon a major security flaw in a York council app did the right thing, and reported it to the authority.

But instead of council chiefs publicly thanking him – they reported him to police.

Their response has been condemned as “shockingly bad” and “disgraceful” by national data security experts, among them a Microsoft director and the BBC’s ‘hacker in chief’.

Belatedly the council has thanked the original whistleblower for alerting them to the problem. But they haven’t issued an apology.

And their handling of the case may have breached GDPR rules, and is the subject of an external investigation by the Information Commissioner’s Office (ICO).

A City of York Council spokesperson told us: “The One Planet York app data breach is now an ICO case. As a result it would be inappropriate for us to comment about information they will be looking into further.”

We have asked the council specific questions about the incident, and their full answers are below.

Major data breach

The One Planet York app. Photograph: Appaware
On November 18 YorkMix broke the news that phone app One Planet York had a serious security flaw, and was revealing the personal details of nearly 6,000 users.

Ian Floyd, the council’s deputy chief executive and corporate director of customer and corporate services, emailed those users to tell them to delete the app.

And he wrote: “We have notified the police of this deliberate and unauthorised access by a third party.”


But now it has emerged that the ‘third party’ was a developer working with digital experts Rapid Spike.

And he:

  • discovered the fundamental security weakness before it could be exploited by an attacker
  • acted in good faith in alerting the council, in accordance with accepted industry practice
  • followed City of York Council’s own procedures on reporting a security flaw
  • was thanked by council officials via email soon after reporting the problem
  • was quickly exonerated by police, who said he ‘acted correctly’.

The council said they called the police because they tried to contact the informant but ‘they did not respond’. In fact, the developer concerned responded within 18 minutes of receiving the first email from the council, and within a few hours of another email sent the following day.

You can read the timeline on the Rapid Spike blog here.

‘Goodwill down the toilet’

Photograph: Priscilla Du Preez on Unsplash
Among those expressing concern about the way York council handled the issue are Microsoft regional director and online securty expert Troy Hunt, and Scott Helme, researcher and ‘BBC hacker in residence’.

Troy called the council response “shockingly bad”:

While Scott said the council had tried “to flush all good will and respect from security researchers and the wider community down the toilet”:

“To frame this as they have is, quite frankly, disgraceful,” he said.

And the police quickly dismissed the case against the whistleblower:

On the face of it, the council has also broken General Data Protection Regulation (GDPR) rules. The flaw was reported to them on October 27.

But Mr Floyd didn’t write to users till November 17, 21 days later. The alert should have gone out within the 72-hour disclosure deadline imposed by GDPR.

We have put all these points to City of York Council. Their answers are below.

What City of York Council says

City of York Council’s West Offices. Photograph: YorkMix
Why didn’t the council act sooner – it was notified of the breach on October 27, but only told users on November 17?
CYC answer: Once we were informed by a third party about the data breach we tried to contact them to both confirm their motives and understand their actions. Despite attempts to contact them, we did not receive their responses and as a result of what appears to be a deliberate and unauthorised access we reported the incident to the police so they could investigate whether a crime had been committed.


Does the council agree that this delayed action is in breach of GDPR rules?
As this is now an ICO case, it is not appropriate for us to respond to questions that will be looked at by ICO.



Why did the council say they couldn’t contact the third party who informed them of the data breach, when there is email correspondence between the council and the informant, including one reply within 18 minutes of the council getting in touch?
The third party has used Sender Policy Framework (SPF) settings on their mail server. This means that any email sent from them must be to certain IP addresses otherwise it will be treated as not legitimate and will be dropped. This is to stop spoofing of their email address, ie the email doesn’t come from a recognised IP address then it will be treated as not legitimate. The first email was successfully received by the council because at that point CYC specialist security checking was not activated. All subsequent responses were not received because they failed the security check and were dropped as the third party’s own security settings told our security settings not to trust it.


As the council had been in contact with the informant, why did they report him to the police?
Once we were informed by a third party about the data breach we tried to contact them to both confirm their motives and understand their actions Despite attempts to contact them, we did not receive their responses and as a result of what appears to be a deliberate and unauthorised access we reported the incident to the police so they could investigate whether a crime had been committed.


Why did the council ignore the UK Government’s National Cyber Security Centre advice, and the International Standard framework for vulnerability disclosure?
As this is now an ICO case, it is not appropriate for us to respond to questions that will be looked at by ICO.


Is the council holding its own investigation into the data breach – and what are the terms?
As this is now an ICO case, it is not appropriate for us to respond to questions that will be looked at by ICO.