One Planet York: ‘Ethical hacker’ exposed council app flaw

A council is seeking to reassure residents that a flaw in a council app allowing personal data to be breached was discovered by an “ethical hacker”.

A developer for a Leeds-based digital agency found phone numbers, addresses and encrypted passwords of One Planet York users could be found on the app.

City of York Council initially warned 5,994 accounts contained in the app could have been breached.

It has since called the hack “well-intended” and thanked the developer.

Rapidspike, a digital monitoring platform, said one of its developers “browsed to a page within the app, as any user would” and was able to access a list of ten users with personal information visible.

The developer “did not do anything to exploit the vulnerability” of the app, which allowed users to check bin collection dates and recycling advice, and immediately informed the council, the company said.

City of York Council contacted North Yorkshire Police and the Information Commissioner’s Office after the data breach was reported.

The One Planet York app has since been removed from app stores and the council’s website, and the authority has urged remaining users to delete it from their devices.

On Monday, the council tweeted: “Despite attempts to contact [the hacker], they did not respond and as a result of what appears to be a deliberate and unauthorised access we informed the police”.

More stories from around Yorkshire

The local authority, which has since revised its stance, said: “Following further review it has become clear that the person who identified the issue with the app had tried to contact us but their email had not been received due to security settings.

“Whilst we consider we took appropriate measures based upon the facts at the time, we can now confirm that this was a well-intended action by the individual concerned and we would like to thank them for raising this matter.”

An ethical hacker, also known as a ‘white hat’ hacker, is someone who looks for data vulnerabilities in the public interest, rather than for malicious or criminal purposes.

North Yorkshire Police’s digital investigation and intelligence unit said the developer had “acted correctly”.