NHS-backed org reacted to GitHub leak disclosure with legal threats and police call, complains IT pro

2021-05-14 10:02

IT pro Rob Dyke says an NHS-backed company not only threatened him with legal action after he flagged up an exposed GitHub repository containing credentials and insecure code, it even called the police on him.

What happened next united infosec professionals across the world as well as triggering a crowdfundraiser and a behind-the-scenes legal war: we're told Apperta sent Dyke legal demands, and followed those up by alleging to the cops that he broke Britain's computer security laws.

We understand Apperta - which is a not-for-profit company that provides tech, support, and funding for health and social care - has taken down its GitHub repo, and replaced its exposed API keys.

Dyke, who is a cloud platform engineering lead at a global consultancy, reminded Apperta that he only viewed webpages that had been publicly accessible, that he would remove a fork he made of the repo on GitHub to study it, and said he would destroy his copy of the data after three months had passed, among other undertakings.

As far as the disclosure went, The Register has seen evidence that the repo in question was uploaded two years ago by a senior Apperta person, and it shouldn't have been made public.

As for any potential civil disputes, Dyke has since given a legal undertaking to Apperta, as both parties confirmed to The Register separately.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/05/14/apperta_rob_dyke_disclosure_brouhaha/

#disclosure #github #leak #NHS #police #threat

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Github		12	3	40	30	15	88