- A researcher found a data leak, reported it to the owner, was thanked, and then reported to the police.
- The man has failed to reach a resolution with the organization despite his repeated attempts.
- The organization is an open-source non-profit active in British healthcare.
Security researcher and open source advocate Rob Dyke discovered two public repositories on Github back in February 2021 and informed the owner of that data leak. The repositories that shouldn’t have been public contained code for an application, API keys, usernames, passwords, and more.
The researcher decided to encrypt the sensitive data, store them, and keep a copy for 90 days - which is the standard disclosure period. Simultaneously, he informed the data owner and helped in taking the sensitive info offline.
To his surprise, at the start of this month, he received a notice from the owner of the still non-disclosed organization, basically threatening him with legal action for unauthorized access of their data. He then revealed that the repository had remained public for two years and that anyone could have accessed it in the meantime.
At that time, Dyke asked for the help of a tech-savvy lawyer to help him deal with this unexpected bullying from the organization that had previously thanked him. Because some data was still online at that time, the threatened researcher chose to keep everything else undisclosed, so he still didn't reveal the organization's name.
Fast forward to today, and with the two parties having reached an apparent resolution to what was surely a misunderstanding, the researcher published a letter from the Northumbria Police, asking him to contact them concerning a report of computer misuse. That is 24 days since the organization thanked the man, 18 days since he deleted his clone, and after multiple confirmations with the entity’s lawyer. The organization's name was revealed this time, finally, and it’s Apperta Foundation.
The Apperta Foundation is a clinician-led, not-for-profit company. Supported by NHS England, NHS Digital, and others, promoting open systems and standards for digital health and social care. Thus, the data they leaked so irresponsibly is public data, the exposed individuals could be physicians, medical personnel, or even patients, and the incident should have reached the UK ICO (Information Commissioner’s Office).
Even if the police are merely asking the researcher to provide his contact number in order to hear his side of the story, it indicates that Apperta still proceeded to report the event to the police, endangering the researcher and possibly putting him through a process of shaking off the consequences of a potential concoction.
In the end, this story works as another example of why you should opt to report data leaks and breaches anonymously if you care to report them at all. Acting ethically and responsibly can work against you, and this story is sadly the perfect example of that.