Told your organisation is leaking data? Here’s how not to respond

Told your organisation is leaking data? Here's how not to respond

Platform engineer and open source enthusiast Rob Dyke says that he’s found himself in a sticky pickle.

You see, in late February he discovered two public repositories on Github which contained code for an application, API keys, usernames and passwords, and a database dump. Anyone in the world could access the sensitive information.

Dyke contacted the organisation (which he hasn’t named) sending them evidence of their security screw-up, and pointing out that the code was based on an old version of PHP framework which contained vulnerabilities.

Sign up to our free newsletter.
Security news, advice, and tips.

Dyke went on to explain that he had encrypted the sensitive data (which was more than the organisation had done) when storing it securely, and would destroy his copy in 90 days.

The good news is that the owner of the respository thanked him, and the offending code and data was taken down.

Fast forward to earlier this week, when a law firm acting on behalf of the organisation wrote to him accusing him of “committing offences under the Computer Misuse Act 1990 and the Investigatory Powers Act 2016” and, in his words

“…demanding that I give commitments that amounted to me acknowledging that I had unlawfully hacked into and penetrated systems and databases.”

Dyke says that has made no threats to the organisation or its systems, and was practising responsible disclosure. It certainly sounds like that to me too.

Clearly rattled, Dyke has started a crowdfunding campaign to pay for legal representation. So far he’s raised more than the £1500 he requested from his Twitter followers – an impressive achievement.

He’s nobly – so far – declined to name the organisation concerned, but says “If you knew who it was you’d be very disappointed.”

I hope the unnamed organisation quickly realises its mistake, and apologises to Rob. If anything they should offer him some form of bug bounty for his honesty and expertise after their goof.

When/if the organisation’s name becomes known, this is likely to cost it much more.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.