how it started

I told NHS Tech Org about secret info they'd left online. They replied with legals.

Late February I discovered public repositories on GitHub belonging The Apperta Foundation, a health tech non-profit created by NHS England.
I skimmed the code. It looked like an app for financial management with pages for budgets and expenditure with charts and docs loaded from third-party sites.
Several files in the repo contained things that shouldn't be posted to the internet: usernames, passwords and API keys.
Along with the code there was a compressed database dump that ALSO contained secret info and also API keys for two third-party sites.

The Apperta Foundation had public code on GitHub stuffed full of secrets.

Apperta, for those that don't know, was created by NHS England in 2015 and given £500k to support open source projects. At the time Peter Coates, NHS England's Open Source Programme Manager and now a Director of Apperta, told Digital Health News that Apperta would:
'be fully transparent, with information published online regarding where money has come from and where it has gone.'

Public repos were probably not in mind.

Logo of the Apperta Foundation
Back in 2017 I was part of the group that made NHSbuntu - an open source desktop for the NHS. Apperta made a grant of £30,000 to the project and appointed me to a committee. As a committee member, I had the responsibility to ensure that Apperta policies and procedures are followed and was provided with copies when I joined.
I found Apperta's Information Security Policy and re-read it.
It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures. Although no longer a subcommittee member, I figured I'd follow the procedure and provide as much information as possible about what looked to be a security breach.
I wrote up what I had discovered as a security report. The doc included screenshots of the repos, alerting Apperta to the contents of the code, the database dump file, and the URLs of the third party sites. I included some notes about published SQLi and RCE vulnerabilities in the version of Laravel framework used by the application.
I emailed the report to Apperta on 1st March at 12:12hrs, stating that I would keep the materials used to create the report for 90 days (encrypted) before destroying them. Apperta responded and thanked me. Within the hour the repos were taken down and the portal taken offline.
The following day I saw that the third-party sites that were referenced in the code (along with API keys!) were still available on public URLs without any authentication. I sent a further report and again was thanked by Apperta.

Done.

Not Done.

On Monday (8th March) I received a email letter from a law firm acting for Apperta. The solicitor wrote that I had hacked into Apperta's systems and extracted, downloaded (and retain) its confidential business and financial data. By writing up my discovery and sending the disclosure I had apparently
'committed various civil wrongs, including breach of confidence and statutory duty, infringement of copyright and unlawful extraction.'
As well as accusing me of committing offences under the Computer Misuse Act 1988 and the Investigatory Powers Act 2016 the solicitor demanded that I give a written undertaking that amounted to me admitting that I had acted unlawfully.
We require your immediate undertaking by 5pm today, Monday 8 March 2021. That you have destroyed or will immediately deliver up, all of our client’s confidential business information in your possession whatsoever. Your confirmation that you have not, and will not, publish the data you unlawfully extracted. Your confirmation that you have not shared the extracted data.
We require your immediate undertaking by 5pm today, Monday 8 March 2021. That you have destroyed or will immediately deliver up, all of our client’s confidential business information in your possession whatsoever. Your confirmation that you have not, and will not, publish the data you unlawfully extracted. Your confirmation that you have not shared the extracted data.
I replied promptly to say:
On or around October 30th 2019 your client published two repositories of code on the public code sharing website Github. These materials were freely available for anyone to view clone fork or download from that date.

Thank you for making me aware that your client considers the data that they purposefully published on Github in 2019 as private and confidential business information. I trust that they will be notifying the ICO of the data breach.
I provided the following confirmations:
  1. I confirm that I created and shared security advisories with redacted / obfuscated content with your client.
  2. I confirm that I will retain an encrypted copy of the materials as a record of my actions
  3. I will provide a certificate of destruction after 90 days from the date of disclosure.
  4. I confirm that I no longer have a copy clone or fork of the publicly available repositories
  5. I confirm that I have not and will not publish the data your clients made available on a public website or had published on a public URL.
Image

Rob Dyke @robdykedotcom
InfoSec twitter.
So I find an open repo with dump.sql API keys, usernames etc.
I verify the contents.
take screenshots.
I send a security advisory.
Then I get a letter from the lawyers.
This normal?
#infosec #Legal

I received a reply the following morning.
Not only were the confirmations provided unacceptable, the detailed information I provided in the disclosure to help Apperta had been misinterpreted. I did state that Apperta should consider the portal compromised. With credentials and a copy of the database leaked as well as a dependency on a framework with known RCE and SQLi vulnerabilities, I would definitely consider the application compromised!
Later that afternoon another email.
Since we wrote earlier today, it has now come to our attention that you have boasted of your unlawful extraction and also today threatened to unlawfully access our client’s systems and data again.
These are the tweets were seen as intimidating and as a threat to access Apperta's systems.
Image

Rob Dyke @robdykedotcom
Found a public repo with API keys, usernames, passwords, and a database dump.

Notified owners.

Gone now.

The email concluded rather ominously
Our client has a real belief that you pose an imminent further threat and that you now retain its confidential business information and data. You have failed to provide the undertaking requested. Please advise how we may serve your solicitor. If you are representing yourself, kindly confirm.
Our client has a real belief that you pose an imminent further threat and that you now retain its confidential business information and data. You have failed to provide the undertaking requested. Please advise how we may serve your solicitor. If you are representing yourself, kindly confirm