An engineer confesses that he received a letter suggesting legal liability after reporting a vulnerability that could lead to personal information leaks

Yannick Diksken, a platform engineer and diving instructor, discovered a vulnerability on the portal site of his sports insurance company that could lead to a serious personal information leak. He reported the vulnerability and received a letter from the insurance company's data protection officer stating that the vulnerability could be a criminal offense. He published a blog post about how this happened.

I found a Vulnerability. They found a Lawyer. | Blog | Yannick Dixken
https://dixken.de/blog/i-found-a-vulnerability-they-found-a-lawyer

According to Diskken, he first became aware of the vulnerability when he was registering students as an instructor. He said he felt the user IDs in the messages sent to students were sequential numbers, which made it easy to guess the IDs, so he decided to investigate.

The portal site of the sports insurance company in question was designed so that users could log in by combining a 'user ID consisting of consecutive numbers' and an 'initial password common to all accounts.' It also required users to change their password upon first login, and there were no rate limits, no lockout function to temporarily lock an account after multiple failed login attempts, and no multi-factor authentication.

From this, Diskken says that it was possible to access profile information such as name, address, phone number, email address, date of birth, etc. simply by guessing the numbers and entering the initial password.

Considering the issue to be of major impact due to the inclusion of data on minors, Diskken reported it to CSIRT Malta , Malta's incident response organization, and the sports insurance company that operates the portal site, on April 28, 2025. He requested that a confirmation of receipt be returned within a certain period of time, and advised that 'reproduction information and verification results can be shared in encrypted form,' and suggested that a contact point and IT security hotline be established.

Malta's (PDF file) Cooperative Vulnerability Disclosure Policy states that 'if a vulnerability is identified, the discoverer must report it in writing to both CSIRT Malta and the responsible party,' and Diskken is proceeding in accordance with this policy.

Two days later, Diskken received a letter not from the sports insurance company's IT department, but from the law firm acting as its data protection officer. The letter mentioned that an investigation into the vulnerability had begun, and that the company would reset default passwords and implement two-factor authentication. However, the letter also expressed dissatisfaction, saying that 'notifying the authorities first would have added complexity and exposed the organization to undue liability.' It also suggested that the discoverer's actions 'may constitute a criminal offence under Maltese law,' suggesting that they would be held responsible.

In addition, the sports insurance company demanded that Diskken sign a declaration stating that he had deleted the data, that he would not disclose any information about the vulnerability, and that he would keep the process of reporting the vulnerability confidential, and also provided his passport ID by the end of the day. While Diskken was willing to provide proof that he had deleted the data, he refused to agree to the clause that kept the process of reporting the vulnerability confidential, and instead proposed a revised agreement.

Diskken points out that this type of response by the organization silences those who report vulnerabilities, resulting in a chilling effect that discourages reporting. He also takes issue with the fact that the sports insurance company appears to have assumed that changing passwords is the user's responsibility. Furthermore, Diskken argues that since the initial password was the same for everyone, no password changes were required, and it was combined with an easily guessable sequential ID, the system designers should have prevented this.

The vulnerability was eventually fixed, initial passwords were reset, and two-factor authentication is being implemented, but Diskken says he is making additional inquiries to the organization, saying he has not been able to confirm whether affected users have been notified.

It's not uncommon for the person who reports to be intimidated by legal pressure. Diskken points out that if the organization's initial response is led by legal affairs, it can appear as if the organization is more focused on 'suppressing the issue to prevent trouble' than on fixing the technical issues.