Over a million Neighbourhood Watch members exposed through web app bug Neighbourhood Watch (NW) groups across the UK can now rest easy knowing the developers behind a communications platform fixed a web app bug that leaked their data en masse. Nottingham-based VISAV is the company behind Neighbourhood Alert, a platform that, among other things, claims to offer a secure messaging system between …
Quote: "...UK data protection watchdog the Information Commissioner's Office..."
Laff, laff, laff................
See: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act
Yup.....Google/Deepmind slurped 1.6 million citizen medical records with ABSOLUTELY no consent from anyone (except the idiots at the Royal Free).
Where are these records now? What has Google/Deepmind used them for? Will they be used again.....or turned over to Palantir?
...........or are they included in one of those fashionable LLMs at Google.....
And in all of this the ICO has been conspicuously silent: no fines, no slap on the wrist....nothing at all.
"protection", "watchdog".................Laff, laff, laff..................
"We are sincerely sorry for any distress caused [...] integrity and public safety is of utmost importance to us [...] we take our data protection obligations very seriously."
Looks like the standard responses on the data breach bingo card
"The anomaly was fixed immediately, and we have voluntarily notified every member to inform them and provide guidance, even the vast majority of members who were not potentially affected by it. We have also reported ourselves to the regulator to support our own intensive investigation and help prevent future risks."
...but that actually feels like a more positive response than we see from much larger organisations
The word "sorry" is not on that bingo card. You'll find all sorts of alternatives and euphemisms but no "sorry". To flat-out say "we are sorry" is an unequivocal admission of guilt.
Responding like this is the first baby step toward true responsiblilty. I'm glad I was sitting down when I read it.
Does nobody in development these days look over a first draft and start to ask "what if?" let alone ask that question while they're actually writing it?
In my experience, yes....but then a project manager comes along and says that we have neither the time nor the budget to support that sort of thing, so please stop
They have to get onto developing the next feature, because you can sell features to customers, but not security. If you tried to sell security it'll just make you look bad when you're inevitably hacked. Security is relative, so you might be less insecure than the next guy but no one is secure.
"...notified every member to inform them and provide guidance, even the vast majority of members who were not potentially affected by it."
The word 'potentially' seems to indicate that they don't have a clue of who has accessed what. So I'm guessing no audit logs.
The terrible thing about this is that our wasn't even a technical attack, it was just standard functionality.
This industry is crying out for a meaningful digital standard, with specification, code, application and infrastructure audits. Maybe in another 200 years when people finally get fed up of the "fail fast" culture.
It is patently obvious by now that web anything is insecure by default.
“Neighbourhood Alert is accessible through web and mobile apps that are endorsed by national and regional local authorities across the UK.”
What tests were run to detect and remove such bugs on this ‘Neighbourhood Alert’ web and mobile app?
“The Register revealed that anyone could sign up using a fake name, email address, and postal code to gain access to a range of personal data on UK citizens within minutes.”
Let me guess who is responsible for the original design, Akbar from India on £10 an hour /s
"[...] that our system had been used in an attempt to access member's data [...]"
1. It is not an "anomaly" if it has been designed that way.
2. Passive voice – "our system had been used to..." – in an attempt to deflect blame (it was the system, not us)
3. "... in an attempt to ..." – forgot to mention it was a successful "attempt"
Such a blunder means that there wasn't an "anomaly", it is a complete fail of incorporating security into the design of the system. Makes you wonder how many more "anomalies" are there, maybe just not as obvious to find as this one.
"Secure by design? Yes, we've read about that somewhere, but we didn't understand it."
1. It is not an "anomaly" if it has been designed that way.
That depends on a rather generous assumption.
BTW "anomaly" seems to be today's word of the day in the Horizon enquiry. "Exception" seems to be taken as an alternative, both apparently furnished by Paula Vennels' IT-literate husband. Personally I think in an IT context "exception" is something quite different and specific but then this is Horizon.
This post has been deleted by its author
It is too easy for people to get jobs as software engineers. Just today I stumbled upon an approved pull request where some new guy was logging all the request cookies and request headers at warning verbosity. All those session cookies, all those authentication headers, all that PII dumped into a log file that 600 people have access to...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
