City of York Council app data breach affects over 6,000 residents
21 November 2018
The City of York Council recently suffered a major breach after a cyber criminal hacked into its One Planet York app and possibly stole personal details of up to 6,000 residents, including names, home addresses, email addresses, phone numbers, and passwords.
The Council was made aware of the breach by the hacker who informed it how he/she was able to access personal data of residents via the app. It is not clear whether the hacker is looking for ransom or if he/she is an ethical hacker.
Data breach forces City of York Council to shut down its app
After being contacted by the hacker, the City of York Council wrote to affected residents, stating that all data had been deleted from its app and that the app will no longer be supported.
“We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward. We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device.
“We cannot say for certain what the third party responsible has done with the data,” it added. A Council spokesperson told BBC that as many as 5,994 personal data records of residents could have been breached.
“On November 1 2018, a third party contacted the council and told us they had found a way to access personal data of those people who use the One Planet York app.
“The data accessed included personal information such as names, addresses, postcodes, email addresses and telephone numbers together with encrypted passwords. To our knowledge, the data accessed did not include any further sensitive information. In addition, the One Planet York is isolated from other council systems and therefore unable to access other personal data,” said Ian Floyd, deputy chief executive at the City of York Council.
Poor security in apps a major reason behind the breach
Commenting on the breach of personal data of thousands of users via the York Council app, Martin Thorpe, Enterprise Security Architect at Venafi, said that the data breach is reflective of the way modern apps are being designed by developers without building security in from the ground up.
“This is a serious breach, with thousands of people having their personal data at put at risk. Unfortunately, hacks of these kind are rising year on year though; York is certainly not alone. There are now over 15.5 billion apps in the UK, often containing very personal information – from health data to financials.
“Yet developers are often more focused on features and usability than on security. In a bid to increase speed to market, developers are prioritising convenience and failing to build security in from the ground up.
“This rush to get products to market is resulting in corner cutting and sub-standard solutions are flooding the market. A clear example of this is with the use of free or cheap digital certificates, which are used to provide a ‘machine identity’ to prove that a system or app can be trusted and provide the foundations of secure machine to machine communication.
“Many developers are just picking the quickest or cheapest certificate they can find and there is often a lack of controls in the system that issues them which weakens security and increases the risk of manipulation,” he added.
Last year, the National Cyber Security Centre had also warned that several security vulnerabilities in popular online dating apps were also putting personally identifiable information of millions of users at risk.
Such vulnerabilities included poor security and lack of encryption during data transmission, lack of security in token-based authorisation processes, and vulnerabilities in several apps’ message history, particularly for Android users running outdated software.
By exploiting such vulnerabilities, hackers could destroy a user’s anonymity by obtaining his/her personally identifiable information from such apps, and thereafter blackmail the user into paying up to prevent his/her data from being shared on the Internet.