Watch: We Had Legal Obligation To Report Hack But Never Intended To Go After Students, FreeHour Head Says After ‘Bug Bounty’ Demand
FreeHour owner Zach Ciappara has said his company was legally obliged to file a police report against a group of student hackers who had accessed their backend and requested a “bug bounty” for spotting the vulnerability.
“In October, we received an email from these four students explaining there was a vulnerability in FreeHour’s backend and that they gained access to parts of the system,” Ciappara explained.
This email gave FreeHour a three-month deadline to secure a vulnerability and requested a “bug bounty” as a reward for identifying the flaw.
“We were quite concerned and shocked and we spoke to our developers to get them to immediately start working on fixing this issue and investigate it,” Ciappara said.
“Luckily no data was compromised and the flaw in the system was fixed in a few hours. Within 24 hours a patch was released which made everyone’s data secure.”
View this post on Instagram
Ciappara said that he consulted lawyers and the Information and Data Commissioner, who informed him that FreeHour was legally bound – under GDPR law – to report the hack to the police.
“Our intent was to cover ourselves legally; if we hadn’t filed a report we would have been breaking the law ourselves. Our intent was never to get these students in trouble or to go after them directly.”
He said the police didn’t keep FreeHour updated on their investigations and was surprised at certain comments the students passed when they were interviewed by Times of Malta today.
Ciappara also urged the police and the justice system not to go hard on the students, stating he believes their actions weren’t malicious.
“It seems there wasn’t malicious intent and we’re grateful they brought it to our attention so we could fix it and improve our systems.”
“I hope this all ends up solving itself, and that they are charged or not charged in a right way. We apologise for the initial vulnerability – unfortunately these happen when dealing with tech – and I hope this ends up settling itself in the best way possible.”
In their interview, the four computer science students – Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins – said they had spotted a vulnerability in FreeHour’s backend which, if exploited, could have compromised the private data of student data.
“In simple terms, every user is an admin without knowing it,” Collins said.
In November, police arrested the students, strip-searched and interrogated them, and seized their electronic devices. These devices are still in the hands of the police, who are still investigating the incident and haven’t filed any charges against the students.
What do you think FreeHour should have done after receiving this email?