Major security breach as York council app allows access to people’s personal data

Photograph: Priscilla Du Preez on Unsplash

Personal data belonging to users of York council’s environmental app has been accessed by a unauthorised third party, it has emerged this weekend.

City of York Council has contacted police and has permanently taken down its One Planet York app, following the major security breach.

The app supported the council’s broader One Planet York programme, which seeks to reduce waste and improve the city’s environmental performance, but a third party contacted the council on November 1 to tell staff they had accessed users’ data.


A council spokesman said 5,994 records are contained in the app and could have been breached.

Ian Floyd, the council’s deputy chief executive and corporate director of customer and corporate services, has emailed users.

He told them they should delete the app from their own device.

Deep regret

Ian Floyd of City of York Council
Mr Floyd said the council’s action and warning were a precaution, as it is thought the motive of the third party was to expose the security flaw, but he said the council “deeply regretted” the breach.

In his letter, which has been passed on to YorkMix, he wrote:

  • On 1 November 2018, a third party contacted the council and told us they had found a way to access personal data of those people who use the One Planet York app.

    The data accessed included personal information such as your name, address, postcode, email and telephone together with your encrypted password.

    To our knowledge, the data accessed did not include any further sensitive information. In addition, the One Planet York is isolated from other council systems and therefore unable to access other personal data.

He added: “We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.


“This is to prevent a recurrence of such an attack, and to protect the privacy of residents and users of the app. We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device.

“We have notified the police of this deliberate and unauthorised access by a third party.”

The council has also issued a Q&A about the breach – see below.

The One Planet app

Card image cap

Development companies were tasked with developing an idea for a One Planet York app and pitching it to members of the City of York Council at Venturefest 2014.

The winning idea from Appware was focused on waste and recycling and after several pitches, Appware were chosen as the winners and began working on the idea with staff at the council.

The app allowed residents to easily check their next waste and recycling collection date. Users could also scan household products with a barcode to see if they are currently able to be recycled.

Users gained ‘Planet points’ when they scan items ranking them against other app users.

At its launch in June 2016, Cllr Andrew Waller, executive member for the environment, said:

  • The One Planet York app is a great way for residents to hopefully become more environmentally friendly with handy hints and tips to help them increase their recycling.

    This will help York in our aim to become the Greenest City in the North and our plans to become a One Planet Council.

App Q&A

The council has also sent a Q&A with its letter. This is an excerpt from that document:

How did this breach occur?
We have investigated the breach and identified a vulnerability in the code that runs behind the app (the ‘API’) that controls access to the database.


How did City of York Council become aware of the breach?
A third party, who we believe was behind the deliberate unauthorised access, shared a small, redacted sample of the information they had extracted. Their email stated they provided this information to make us aware of the issue and enable us to address it.


What data could the third party have got hold of?
The data provided was an extract from the database of the user records for the One Planet York app. It is information users had supplied when they signed-up for the app, including userid, username, password in encrypted form, address, postcode, a unique property reference for the address provided, the address, email address, phone number, general location, notification settings and ‘planetpoints’ within the app.


Has my password been compromised?
The passwords are stored in an encrypted format. It would be difficult to get access to this without personal knowledge of the individual user of the app.


Where is the breached data now?
We cannot say for certain what the third party responsible has done with the data. They notified us of the vulnerability and have not requested anything in return which suggests they are someone who looks for data vulnerabilities in the public interest. We have requested they securely delete all traces of the data from their systems and advise you to follow the guidance set out below.


What steps have the council taken?
We took key elements of the app offline as soon as our data protection team were made aware of it whilst we conducted our internal investigations. We are unable to remove this app from user’s personal devices and taking the app offline was the most expedient way to minimise further risk to our users. We have contacted the third party and asked them to securely delete all data taken from the app. Given this constitutes illegal access to other people’s personal information we have also notified the police and will not be reinstating the app.


What do I need to do?
We recommend you delete the app from your device (s). In addition, you are advised to change passwords in line with the Government’s best practice here: cyberaware.gov.uk


Should I be concerned about other council accounts I have?
This app is isolated from council systems and not linked to any other systems we host. The actions of the third party could not have been used to gain access to other council systems that may contain your personal data. We cannot say any system is 100% protected, however we now have several measures in place to keep the risk of this type of breach to an absolute minimum. Anyone concerned about identity fraud can contact their bank or building society for advice, HMRC if appropriate at https://www.gov.uk/government/organisations/hm-revenue-customs or Credit Reference Agencies or the ICO.