TL/DR: I made a responsible security disclosure to Apperta, an NHS tech org, that had negligently spilled usernames, passwords, and financial data on the internet. They responded with threats of legal action.
Read my write up 'howto disclose' and my blog No Good Deed Goes Unpunished.
How it started:
Late February I found two public repositories on github with application code, database dump, API keys, username and passwords. I followed the URLs in the repos and verified the Author of the repos and the owner as Apperta Foundation.
I wrote up my findings including copious screenshots (obfuscated) as a Security Disclosure which I sent to the Apperta on the 1st of March. Apperta responded the same day, thanking me for the detailed notice. The repos were taken down, the website was taken offline.
On Monday (8th) I received a letter from a law firm representing Apperta, accusing me of committing offences under the Computer Misuse Act 1990 and the Investigatory Powers Act 2016 and demanding that I give commitments that amounted to me acknowledging that I had unlawfully hacked into and penetrated systems and databases.
How its gone:
Over March and April in the region of 500 emails were exchanged in search of a form of words that Apperta would accept as confirmation that I had deleted the materials discovered.
Apperta filed a cybercrime incident with the police. Thankfully the police closed the record as no action necessary.
In the last week of April Apperta again threatened to attempt to obtain a court injunction.
I'm in limbo. Mentally worn down. Counting the costs.
Legals & costs have run to £25,000.
Read my blog No Good Deed Goes Unpunished
About Me: I'm a long time open source hacker. A decade of my career was in NHSland where I co-founded open eObs and made an OS for the NHS . These days I research the security and privacy of apps listed in the NHS Apps Library .