David Eade

David Eade is a web developer and web security consultant, based in Billingshurst, West Sussex, UK. Most security vulnerabilities are privately reported to the respective vendor. This blog includes only resolved issues not subject to a non-disclosure agreement.

Capita Disclosure and Barring Service leaks personal data

Capita's hosted platform for DBS checks was misconfigured. Basically - someone outside your home or workplace could observe users' sensitive information in transit.

20 June 2019

Capita's eBulkPlus platform handles extremely sensitive information for the purpose of identifying applicants. It is used by organisations such as schools and charities. The contents of pages viewed and information submitted by the user could be recorded by a man-in-the-middle and retrospectively decrypted. Observations were based on information served by the platform during normal usage.

Capita claim their system is used to perform "over 1 million DBS, Disclosure Scotland and international criminal record checks every year, on behalf of 30,000 clients".

Disclosure Date: 20 June 2019
Affected Product(s): Capita eBulkPlus
Vendor: The Capita Group Plc.

Disclosure Timeline

22 March 2019 Vulnerabilities reported to thirtyone:eight [https://thirtyoneeight.org/dbs-service/apply-for-a-check/], the charity recommended by my church to apply for DBS checks.
22 March 2019 Email from thirtyone:eight - "Many thanks for your email and for the information contained within it. We have brought this to the attention of our software provider for their urgent consideration and will reply to you more fully as soon as we have received communication from them."
27 March 2019 Email from thirtyone:eight - "We are still awaiting a full response to your query, but I am sure I will soon be able to answer your query."
3 April 2019 Email received from thirtyone:eight - "As a direct result of your original email to us our CEOs and Head of Advisory Services met with Capita this morning to address the issues. The meeting was very positive and we will send you an email later today of the action that will be taken and the way forward."
9 April 2019 Email received from thirtyone:eight - "The change process to implement this is well underway with implementation expected by the end of April."
31 May 2019 David emailed thirtyone:eight for an update.
3 June 2019 Email received from thirtyone:eight - "We are pleased this has now been resolved but have been frustrated and disappointed that it took this long. [...] We have a meeting later in the month already booked with Capita/Security Watchdog and will be using that (amongst other things) to ensure that any learning and processes have been implemented to ensure that, as far as is reasonably possible, this cannot happen again."