Told your organisation is leaking data? Here’s how not to respond

Graham Cluley
@gcluley

Platform engineer and open source enthusiast Rob Dyke says that he’s found himself in a sticky pickle.

You see, in late February he discovered two public repositories on Github which contained code for an application, API keys, usernames and passwords, and a database dump. Anyone in the world could access the sensitive information.

Dyke contacted the organisation (which he hasn’t named) sending them evidence of their security screw-up, and pointing out that the code was based on an old version of PHP framework which contained vulnerabilities.

Sign up to our newsletter
Security news, advice, and tips.

Dyke went on to explain that he had encrypted the sensitive data (which was more than the organisation had done) when storing it securely, and would destroy his copy in 90 days.

The good news is that the owner of the respository thanked him, and the offending code and data was taken down.

Fast forward to earlier this week, when a law firm acting on behalf of the organisation wrote to him accusing him of “committing offences under the Computer Misuse Act 1990 and the Investigatory Powers Act 2016” and, in his words

“…demanding that I give commitments that amounted to me acknowledging that I had unlawfully hacked into and penetrated systems and databases.”

Dyke says that has made no threats to the organisation or its systems, and was practising responsible disclosure. It certainly sounds like that to me too.

Clearly rattled, Dyke has started a crowdfunding campaign to pay for legal representation. So far he’s raised more than the £1500 he requested from his Twitter followers – an impressive achievement.

He’s nobly – so far – declined to name the organisation concerned, but says “If you knew who it was you’d be very disappointed.”

I hope the unnamed organisation quickly realises its mistake, and apologises to Rob. If anything they should offer him some form of bug bounty for his honesty and expertise after their goof.

When/if the organisation’s name becomes known, this is likely to cost it much more.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.