A platform engineer discovered critical security flaws exposing minors' personal data in a diving insurance portal, triggering legal threats instead of collaboration when responsibly disclosed.
When Yannick Dixken boarded a dive boat near Cocos Island, Costa Rica, he expected to encounter marine life—not a massive data vulnerability. As both a diving instructor and infrastructure security specialist, Dixken discovered alarming security flaws in the member portal of a major diving insurer—one that insured him personally. What followed became a case study in how organizations mishandle vulnerability disclosures.
The vulnerability was shockingly simple: sequential user IDs and universal default passwords never forced to change. "Every account was provisioned with a static default password," Dixken explained. "Combine that with incrementing numeric user IDs, and you could access full profiles—names, addresses, birthdates, even minors' data—by guessing numbers."
Dixken confirmed the flaw affected underage users, citing one case where a 14-year-old's complete profile was exposed. His verification script used Selenium browser automation to demonstrate how easily attackers could harvest data. Despite the trivial exploit path, the portal lacked basic safeguards like rate limiting or multi-factor authentication.
Following responsible disclosure protocols, Dixken reported the issue to Malta's Computer Security Incident Response Team (CSIRT Malta) on April 28, 2025, citing GDPR violations. He concurrently notified the organization, offering technical collaboration and a standard 30-day embargo before public disclosure.
The response stunned him. Instead of security teams, a law firm representing the insurer replied: "We must respectfully note that notifying the authorities prior to contacting the Group creates additional complexities." Their letter escalated to accusations that Dixken's actions "likely constitute a criminal offence" under Maltese law (Article 337E), demanding he sign an NDA by day's end.
The demanded declaration attempted to prohibit discussion of the disclosure process itself, stating: "I shall keep the content of this declaration strictly confidential." When Dixken refused, citing the importance of transparency, the organization doubled down on legal threats. They explicitly objected to any public mention of their name, warning of "disproportionate harm" to their reputation.
This reaction highlights systemic issues in vulnerability disclosure. Despite GDPR Article 34 requiring notification to affected users when breaches pose high risks—especially involving minors—Dixken received no confirmation such alerts occurred. Equally troubling was the insurer's deflection of responsibility: "We contend that it is the responsibility of users to change their own password," they stated, ignoring GDPR Article 5's mandate for "appropriate technical or organisational measures."
The case exposes how legal intimidation creates a chilling effect in security research. As Dixken noted: "Organizations that respond with lawyers instead of engineers care more about reputation than data protection." While the insurer eventually reset passwords and began 2FA rollout, their adversarial approach damaged trust more than the vulnerability itself.
For organizations, the lesson is clear: Adopt transparent CVD policies via security.txt files, collaborate with researchers, and prioritize user protection over reputation management. For researchers, Dixken's experience underscores the importance of involving national CSIRTs, meticulous documentation, and resisting NDAs that suppress disclosure discussions. As EU directives like NIS2 encourage coordinated disclosure, such legal threats undermine collective security progress.
Comments
Please log in or register to join the discussion