by bashtoni on 4/14/21, 10:33 PM with 13 comments
by DigitalSea on 4/14/21, 10:57 PM
The aggressive response and how quickly they got their lawyers involved is telling they know they are in deep trouble over this and how little they grasp and understand what has happened here.
The Apperta website did give me a good laugh when I read this:
> We show how the delivery of health and social care can be transformed when data, information and knowledge in IT systems is open, shareable and computable.
They certainly live up to their mission statement.
by g_p on 4/14/21, 11:43 PM
It sounds like Apperta might have been "established" in collaboration with Government, although it's not clear if they are still run as such.
In this case, it sounds like a bunch of incompetents who don't understand how the internet, or indeed security, works, who then retained a bunch of lawyers that don't know how the internet or security works either. Lawyers have an ethical duty to act within their own competency, and that can be enforced by their regulator. I'll leave it for the reader to decide if these lawyers are acting within their own competency or not.
The main regulation at hand would be the Computer Misuse Act. Since they published this content onto GitHub, and the author (presumably) has evidence and an admission of this fact, they now have Github's TOS to rely on:
> Any User-Generated Content you post publicly, including issues, comments, and contributions to other Users' repositories, may be viewed by others. By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
They knowingly made it public. That means you did not exceed authorised access in anything you did, and therefore did not gain unauthorised access to any protected computer system. At least based on the info from this blog post. The Investigatory Powers Act doesn't seem relevant, at least without any detail of their claim - that's primarily to regulate government access to information, and certainly not your access to public information they chose freely to publish.
An ICO report seems reasonable, though perhaps worth waiting 72 hours, so they have gone over the legally required time for reporting a data breach upon becoming aware. What's the bets their lawyers advised them to report the breach properly and promptly?
by dn3500 on 4/14/21, 11:39 PM
https://portswigger.net/daily-swig/security-researcher-launc...
by djoldman on 4/14/21, 11:23 PM
At the least just don’t respond at all? Wait until they file a lawsuit. If you didn’t do anything wrong it will get thrown out with one motion at least in the US.
I am not a lawyer.
by dtx1 on 4/14/21, 11:16 PM
by towergratis on 4/14/21, 11:15 PM
by albertopv on 4/15/21, 5:48 AM