Medway Council reforms eforms to stop blurting out residents' details

www.theregister.co.uk | 7/8/2019 | Staff
cyanbyte (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2019/07/02/shutterstock_medway.jpg

Medway council in Kent has corked a hole in its website that spat out residents' names, mailing addresses, phone numbers and email addresses after a Reg reader got in touch to complain.

The breach appeared courtesy of some of Medway Council's electronic forms.

Council - Eforms - Collaboration - Bodies - Kent

The council's eforms were conceived during a collaboration of several bodies across Kent – the Kent Channel Migration Project – which looked at "ways to encourage more use of digital technologies within high-volume local government services."

But according to this cached report (PDF), the launch was held back due to some "very clear flaws" – although they were in "usability and design" rather than, say, insecure object reference bugs or other security issues.

April - Council - Facebook - Page - Residents

In April, the council announced on its Facebook page that eforms were going to be made "easier" for residents to use.

El Reg understands that at least a subset of these were configured with enumerable parameters and – by the looks of things – even allowed visitors write access. By changing a few digits in a URL on the relevant subdomain, our reader was able to access strangers' personal data and we were easily able to reproduce the problem last week.

Council - Devs - Forms - Eforms - Problem

Council devs, who we understand maintain the forms, were very responsive, fixing the eforms config problem within two days of The Reg alerting them to the issue.

A Medway Council spokesperson said: "We immediately removed the potentially affected forms from our website when we became aware of the potential issue. We have carried out an initial review of the matter and have found that just one form was affected in certain circumstances. We have provided an initial report to the Information Commissioner's Office. We have also taken action to fully resolve the technical issue with the form to avoid this happening again. We take all steps to ensure personal data...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!