Security engineer Rob Dyke recently reported a data leak to the Apperta Foundation, which is a non-profit, supported by NHS England and NHS Digital. The organisation thanked him for responsible reporting, however later ‘thanked him’ with legal correspondence and police intervention. Dyke discovered an exposed GitHub repository earlier this month, which was exposing passwords, API keys and sensitive financial records belonging to the Apperta Foundation. The repository had been public since at least 2019. The researcher encrypted the data he had found and securely stored it for 90 days, which is a part of the coordinated disclosure process.
Dyke then received an email from a Northumbria Police cyber investigator, relating to a report of “computer misuse”. This was after he had received a reply from Apperta with the representative thanking him, and claiming they’ll sort the issue. The engineer stated: “I knew how I was supposed to report it to them. So I reported it to them, via their established procedure. And I didn’t really think any more about it.” Apperta’s lawyers stated they believed the engineer’s actions to be “unlawful” and demanded a written undertaking that any data the engineer had come across was deleted.