NHS-backed org reacted to GitHub leak disclosure with legal threats and police call, complains IT pro
Retention of now-deleted security breach evidence sparks spat
+Comment IT pro Rob Dyke says an NHS-backed company not only threatened him with legal action after he flagged up an exposed GitHub repository containing credentials and insecure code, it even called the police on him.
Dyke, who has previously appeared in this organ, in March said he received letters from lawyers representing the Apperta Foundation after he told the business he had found a public repo containing the source code for an insecure online portal and its database containing usernames, hashed passwords, email addresses, and API keys.
We're told the repository contained two branches, and dated back to 2019. It clearly shouldn't be public as it could be used to view internal purchasing, receipting, budgets, and expenditure information through the portal. The material was left visible to the public for so long that the Internet Archive mirrored a copy of it, which indicated the files were committed to GitHub by a now-deleted account that appeared to belong to a senior Apperta person.
What happened next united infosec professionals across the world as well as triggering a crowdfundraiser and a behind-the-scenes legal war: we're told Apperta sent Dyke legal demands, and followed those up by alleging to the cops that he broke Britain's computer security laws.
The story is not straightforward though shows that vulnerability disclosure and the response to disclosure can be a minefield – especially if both sides have previous history of falling out with each other.
Found some stuff you don’t want online
Having discovered the public-facing repository at the end of February, and notified the company on 1 March with a written report of his findings, Apperta’s first response was good, Dyke told The Register, and that he was thanked by the organization. “The repo quickly went private, and they took their portal website offline,” he said.
We understand Apperta – which is a not-for-profit company that provides tech, support, and funding for health and social care – has taken down its GitHub repo, and replaced its exposed API keys.
Here's where the wheels come off. When privately disclosing his findings, Dyke told Apperta he would retain a copy of the files he found for three months. As he wrote on his crowdfunding page, set up to raise £25,000 to foot his legal bills to fend off Apperta:
I stated in my disclosure that I would keep the materials for 90 days (encrypted) and then destroy them and certify that I had by email.
Apperta interpreted this as the unlawful copying of its data, and that this internal information was being retained by a third party without permission for some unknown purpose. A week after receiving Dyke's report, the company's lawyers wrote to him demanding he destroy his copy of the files.
‘Data you unlawfully extracted’
Why keep the data at all? Dyke told us he held onto the information in case it would be needed again as the situation unfolded, post-disclosure. “It was a log of my actions," he said. "And it was important for me to keep it in case there was a wider cyber incident that I was not aware of.”
Views on the ethics and lawfulness of taking copies of exposed data vary. In the UK, it is frowned upon.
Dyke, who is a cloud platform engineering lead at a global consultancy, reminded Apperta that he only viewed webpages that had been publicly accessible, that he would remove a fork he made of the repo on GitHub to study it, and said he would destroy his copy of the data after three months had passed, among other undertakings. The next morning, Apperta's lawyers said this wasn't good enough, and urged him to sign a document promising he had deleted the materials.
The solicitors also picked up on something Dyke had put in his report: he said Apperta's portal "should be considered compromised" given its code, database, and vulnerabilities had been on show for anyone to find for years.
“And this is where a little bit of domain literacy goes a long way,” Dyke told us. “So in my report to them, I said, you should consider the Apperta portal compromised. Now that has a technical word in it; it has a meaning in infosec.”
Apperta, said Dyke, interpreted the word “compromised” as a threat or admission of malicious activity by Dyke himself. His tweets in which he said he had found and studied the contents of repo, without naming the owner, were also taken by the company as boasts of "unlawful extraction" of its data and as a threat to leak the non-profit's files. Dyke said this interpretation was absurd.
This all led to the solicitors demanding he sign a document that gave...
… your confirmation that you have not, and will not, publish the data you unlawfully extracted.
“As I'm not stupid, there was no fucking way I was going to sign that,” said Dyke, as it would pretty much be signing a confession that he "unlawfully extracted" data from Apperta's systems. Had Apperta not asked he admit a criminal act, he would have signed their undertaking, he added. Instead, things ground to a halt as Dyke’s lawyers responded to Apperta’s lawyers, going back and forth for weeks, as Apperta made it clear it wanted to apply to the High Court of England and Wales for an injunction against the IT pro. Such a court order would ban him from publicly divulging any information he had obtained.
Ultimately, Dyke relented before it got to court, and informed Apperta he had deleted the files and, he told us, sent them some proof. “I had already sent them the summary which had the screenshots, and a copy of the repo and my report. I deleted those things,” he said.
Dyke also named Apperta on Twitter, and made his findings public. The infosec community rallied around him.
Security researcher @robdykedotcom recently discovered and responsibly disclosed security vulnerabilities to @AppertaUK about sensitive information stored on their publicly accessible repositories. He now faces legal retaliation. Let's help him.https://t.co/cq6dXwxVNg— Hacking is NOT a Crime (@hacknotcrime) April 27, 2021
At the time of writing, his crowdfunding effort had raised more than £15,000 towards paying his legal bills. Dyke also tweeted a High Court claim form and penal notice, partially filled in, which he said had been sent to him by Apperta’s solicitor.
For Apperta's part, it confirmed to The Reg that this brouhaha did not get as far as going to court, and that its actions were reasonable. It also curiously claimed there had been an "unauthorised entry" into its systems:
In early March we were alerted to a security incident which concerned some of our own financial reports and unauthorised entry to a confidential internal database in our systems. We took immediate action to isolate this breach and secure our system.
The Apperta Foundation has not issued legal proceedings against Mr Dyke. Mr Dyke has now provided Apperta with an undertaking in relation to this matter. We believe our actions have been entirely fair and proportionate in the circumstances and we have been guided by the Information Commissioner’s Office (ICO) and our legal advisers regarding our duties as a responsible organisation.
It also said: "While Mr Dyke claims to have been acting as a security researcher, he used multiple techniques that overstepped the bounds of good faith research, and he did so unethically," adding that this had "been confirmed by independent experts."
It did not detail what those techniques were nor whom it had retained to check Dyke's work.
So, we meet again
Dyke said he had previously worked with Apperta on NHS open-source projects. Indeed, he had a copy of its information security policy from that time, he told us, and claimed he followed that when he disclosed the GitHub blunder to Apperta.
We have heard allegations of personal fallings-out between those involved in this case, which are of tangential interest to the vulnerability disclosure and legal response. As far as the disclosure went, The Register has seen evidence that the repo in question was uploaded two years ago by a senior Apperta person, and it shouldn't have been made public.
Northumbria Police confirmed to us its officers had dropped a probe into a report of "computer misuse," with a spokesperson saying: "We can confirm there is no longer an investigation."
As for any potential civil disputes, Dyke has since given a legal undertaking to Apperta, as both parties confirmed to The Register separately. He thanked his legal team and infosec bod Sick Codes, Disclose.io, and Twitter campaign account HackingIsNotACrime for their support.
Comment: What to learn from this?
Vuln disclosure can be a fraught process. Someone in Dyke’s position in future may be better off asking a trusted organisation or confidante to disclose a security hole on his behalf rather than doing it personally, especially in a situation where an existing relationship has turned sour for whatever reason. Bug bounty schemes and similar vuln disclosure programs are the best methods where available as there should be a well-defined process for passing on evidence and details in a way that doesn't end up with a report to the police.
Telling an organization that has screwed up its security, especially its lawyers, that you will retain a copy of the leaked data will rarely trigger a positive reaction. Keeping data post-remediation shouldn't be the norm, we think.
In a different context, Westminster Magistrates’ Court in London, England, held that copies of leaked data on hardware seized by police was a strong reason not to return the hardware to its lawful owner.
If the company in question directs its lawyers at you, get a lawyer of your own. Dealing with legal negotiations by yourself could have an expensive and painful outcome. Some household insurance policies come with legal cover and it is worth looking closely at these. ®