In light of the news that the One Planet York app – used by York City Council and its residents – has been hacked and up to 6,000 people may have had their data stolen, IT security experts commented below.
Martin Thorpe, Enterprise Security Architect at Venafi8:
“This is a serious breach, with thousands of people having their personal data at put at risk. Unfortunately, hacks of these kind are rising year on year though; York is certainly not alone. There are now over 15.5 billion apps in the UK, often containing very personal information – from health data to financials. Yet developers are often more focused on features and usability than on security. In a bid to increase speed to market, developers are prioritising convenience and failing to build security in from the ground up. This rush to get products to market is resulting in corner cutting and sub-standard solutions are flooding the market. A clear example of this is with the use of free or cheap digital certificates, which are used to provide a ‘machine identity’ to prove that a system or app can be trusted and provide the foundations of secure machine to machine communication. Many developers are just picking the quickest or cheapest certificate they can find and there is often a lack of controls in the system that issues them which weakens security and increases the risk of manipulation.”
Jake Moore, Cyber Security Expert at ESET UK:
“Having personal data stolen is a violation of privacy and extremely lucrative to a hacker. Luckily the passwords were encrypted at the time of the breach but this doesn’t mean that an experienced hacker wouldn’t be able to unravel t hem – especially if it is a relatively easily guessable password, like a simple word and a number. Essentially, if your password may have been used by someone else before online, then it is not secure. My advice is that if your details are on the One Plant York App and your information was stolen or not, you may want to pay extra attention to forthcoming emails over the next few weeks. There may be cleverly designed phishing emails lurking around enticing you to divulge more information or download malware. Luckily, it seems no banking information was stolen but be extra vigilant just in case hackers try to take your identity in order to take cards out in your name.
However, there is also a chance that this “hacker” is an ethical hacker who reported it purely to raise awareness of the potential danger in the app’s weakness.”