CITY of York Council has thanked the computer developer who flagged up a major online security breach - despite having previously reported them to the police.

Earlier this month, the council was contacted by a person who said they had found a way to access personal data, including phone numbers, encrypted passwords and addresses, of residents using the One Planet York app.

The authority alerted all users of the app and reported the incident to the police.

However, they have now backed down, posting on Twitter that they are grateful to the person who identified the issue.

They said: "Following further review it has become clear that the person who identified the issue with the app had tried to contact us but their email had not been received due to security settings.

"Whilst we consider we took appropriate measures based upon the facts at the time, we can now confirm that this was a well intended action by the individual concerned and we would like to thank them for raising this matter."

The data breach had left details of almost 6,000 York residents easily available.

The council alerted all users of the app - which enables users to check bin collection dates and recycling details - and reported the incident to North Yorkshire Police, but stated the 'hackers' did not request anything in return for the personal data, suggesting they were "someone who looks for data vulnerabilities in the public interest".

This week, a company known as RapidSpike - a team of computer developers - said they had found the problem and alerted the council through its ICT security team in an effort to help them prevent cybercrime.

A spokesman said: "Our developer identified a significant security vulnerability with the One Planet Yorkapp: it was sending the personal details of its users, to other users of the app, whenever the ‘Leaderboard’ page was selected.

"It is important to note here that our developer did not do ‘anything to exploit the vulnerability.’ He simply browsed to a page within the app, as any user would. We’re releasing this statement in response to the reporting of the data breach and to help protect and encourage white hat security researchers who perform an absolutely critical role in the fight against cybercrime."

RapidSpike said the personal data available to anyone using the app included the users’ name, email address, phone number, postal address, postcode and other sensitive information such as their password - although the password was 'hashed' - a form of encryption.

The spokesman said: "At no time were council servers compromised or otherwise accessed using this data.

"Fortunately, our developer found this fundamental security weakness before it could be exploited by an attacker. We must be really clear at this point: our developer did not manipulate any requests.

"This personal data was sent to any user of the app when they browsed that page."

The spokesman said the council referred to the discovery as a "deliberate and unauthorised access by a third party", and reported the developer to the police - something the company disputes.

He said: "There is an established precedent in the UK for legitimate security researchers to disclose vulnerabilities within information systems to relevant security teams. The council’s positioning of this good-faith disclosure as a deliberate attack flies in the face of the UK Government’s National Cyber Security Centre advice on the matter, and the International Standard framework for vulnerability disclosure.

"We support our developer’s actions, and believe he acted in the public’s best interests at all times. The handling of the One Planet York data breach led the public, our developer and our team to have some anxious moments until the police confirmed all was OK."