back to article Over a million Neighbourhood Watch members exposed through web app bug

Neighbourhood Watch (NW) groups across the UK can now rest easy knowing the developers behind a communications platform fixed a web app bug that leaked their data en masse. Nottingham-based VISAV is the company behind Neighbourhood Alert, a platform that, among other things, claims to offer a secure messaging system between …

  1. Anonymous Coward
    Anonymous Coward

    Watching

    The Lives of Others.

  2. Anonymous Coward
    Anonymous Coward

    The Joke Is On The Public (The Joke Called GDPR)

    Quote: "...UK data protection watchdog the Information Commissioner's Office..."

    Laff, laff, laff................

    See: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act

    Yup.....Google/Deepmind slurped 1.6 million citizen medical records with ABSOLUTELY no consent from anyone (except the idiots at the Royal Free).

    Where are these records now? What has Google/Deepmind used them for? Will they be used again.....or turned over to Palantir?

    ...........or are they included in one of those fashionable LLMs at Google.....

    And in all of this the ICO has been conspicuously silent: no fines, no slap on the wrist....nothing at all.

    "protection", "watchdog".................Laff, laff, laff..................

  3. Hans Neeson-Bumpsadese Silver badge

    "We are sincerely sorry for any distress caused [...] integrity and public safety is of utmost importance to us [...] we take our data protection obligations very seriously."

    Looks like the standard responses on the data breach bingo card

    "The anomaly was fixed immediately, and we have voluntarily notified every member to inform them and provide guidance, even the vast majority of members who were not potentially affected by it. We have also reported ourselves to the regulator to support our own intensive investigation and help prevent future risks."

    ...but that actually feels like a more positive response than we see from much larger organisations

    1. ChoHag Silver badge
      WTF?

      The word "sorry" is not on that bingo card. You'll find all sorts of alternatives and euphemisms but no "sorry". To flat-out say "we are sorry" is an unequivocal admission of guilt.

      Responding like this is the first baby step toward true responsiblilty. I'm glad I was sitting down when I read it.

  4. Doctor Syntax Silver badge

    Does nobody in development these days look over a first draft and start to ask "what if?" let alone ask that question while they're actually writing it?

    1. Hans Neeson-Bumpsadese Silver badge
      Unhappy

      Does nobody in development these days look over a first draft and start to ask "what if?" let alone ask that question while they're actually writing it?

      In my experience, yes....but then a project manager comes along and says that we have neither the time nor the budget to support that sort of thing, so please stop

      1. Andy Non Silver badge

        That can be the only explanation, because this is such a serious and blatantly obvious security blunder it should never have got past first draft of the spec.

        1. Doctor Syntax Silver badge

          Quite. You'll notice I deliberately didn't say first draft of what, partly because that would have requires assumptions about things like specs and designs.

          1. Daniel Gould

            Probably a feature one of the developers added, as it was useful to them when they were testing the functions.

      2. Alan Brown Silver badge

        "How's our public liability insurance and does it have exclusions for failures to actually check things?"

    2. simonlb Silver badge

      Yeah, but penetration testers cost money. However, we've been assured the site is secure so we don't need to do any of that nonsense. Carry on.

    3. DS999 Silver badge

      There's no time in the schedule for that

      They have to get onto developing the next feature, because you can sell features to customers, but not security. If you tried to sell security it'll just make you look bad when you're inevitably hacked. Security is relative, so you might be less insecure than the next guy but no one is secure.

  5. Anonymous Coward
    Anonymous Coward

    "...notified every member to inform them and provide guidance, even the vast majority of members who were not potentially affected by it."

    The word 'potentially' seems to indicate that they don't have a clue of who has accessed what. So I'm guessing no audit logs.

    The terrible thing about this is that our wasn't even a technical attack, it was just standard functionality.

    This industry is crying out for a meaningful digital standard, with specification, code, application and infrastructure audits. Maybe in another 200 years when people finally get fed up of the "fail fast" culture.

    1. Andy Non Silver badge

      "The terrible thing about this is that our wasn't even a technical attack, it was just standard functionality."

      It was gross incompetence by whoever was responsible for the system... They should be fired, hang their head in shame and never work in IT again.

    2. Bitbeisser

      Don't just love that CD/CI stuff?

  6. JessicaRabbit

    Is there a name for the quotation style used in the article where each paragraph gets on opening double quote mark but only the last paragraph gets a closing one?

    1. Anonymous Coward
      Anonymous Coward

      I don't believe it's any particular style, just the right way of using punctuation in cases where a quotation spans multiple paragraphs.

      1. heyrick Silver badge

        Just think of it as:

        " Quotation begins

        " Yup, still quoting

        " Still blathering on

        " What, is this a filibuster?

        " Oh, at last, he's finally shut up. "

    2. Gene Cash Silver badge

      Same jarring arbitrary crap as the Bbc declaring acronyms will no longer be all-caps (except they still fully capitalize Bbc)

      Sorry... it should be NASA, and not Nasa. Even El Reg follows this: https://www.theregister.com/2024/04/23/voyager_1_engineering_updates/

    3. Doctor Syntax Silver badge

      I'm sure there is. It's maybe a bit old-fashioned these days.

      1. Hubert Cumberdale Silver badge

        I'd say it's fairly standard journalistic style.

    4. PM.

      it's still better than when..

      ..someone writes quote-unqoute in an article.

  7. t245t Silver badge
    Big Brother

    Web app bugs ..

    It is patently obvious by now that web anything is insecure by default.

    Neighbourhood Alert is accessible through web and mobile apps that are endorsed by national and regional local authorities across the UK.

    What tests were run to detect and remove such bugs on this ‘Neighbourhood Alert’ web and mobile app?

    The Register revealed that anyone could sign up using a fake name, email address, and postal code to gain access to a range of personal data on UK citizens within minutes.

    Let me guess who is responsible for the original design, Akbar from India on £10 an hour /s

    1. Andy Non Silver badge

      Re: Web app bugs ..

      He likely subcontracted it out to his North Korean counterpart for £1 per hour. /s

  8. heyrick Silver badge

    "endorsed by national and regional local authorities across the UK"

    Well, that's the kiss of death, isn't it?

  9. Frank Bitterlich

    Anomaly?

    "[...] that our system had been used in an attempt to access member's data [...]"

    1. It is not an "anomaly" if it has been designed that way.

    2. Passive voice – "our system had been used to..." – in an attempt to deflect blame (it was the system, not us)

    3. "... in an attempt to ..." – forgot to mention it was a successful "attempt"

    Such a blunder means that there wasn't an "anomaly", it is a complete fail of incorporating security into the design of the system. Makes you wonder how many more "anomalies" are there, maybe just not as obvious to find as this one.

    "Secure by design? Yes, we've read about that somewhere, but we didn't understand it."

    1. Doctor Syntax Silver badge

      Re: Anomaly?

      1. It is not an "anomaly" if it has been designed that way.

      That depends on a rather generous assumption.

      BTW "anomaly" seems to be today's word of the day in the Horizon enquiry. "Exception" seems to be taken as an alternative, both apparently furnished by Paula Vennels' IT-literate husband. Personally I think in an IT context "exception" is something quite different and specific but then this is Horizon.

    2. This post has been deleted by its author

  10. Mike 137 Silver badge

    Literal interpretation?

    " ... those who created the scheme could see all NW members in that area. The problem was that these coordinators crucially didn't have to pass an approval or verification process."

    Clearly the developers misunderstood the purpose of "neighbourhood watch".

  11. trancewald

    Software engineering should require a license

    It is too easy for people to get jobs as software engineers. Just today I stumbled upon an approved pull request where some new guy was logging all the request cookies and request headers at warning verbosity. All those session cookies, all those authentication headers, all that PII dumped into a log file that 600 people have access to...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like