Issues with user profiles – WordFest Live 2021

We want to open and transparent about an issue we became aware of early in the recent WordFest Live 2021 event.  Via the WordPress REST API endpoint:

/wp-json/wp/v2/users

Logged in users could view the email address and name of fellow registered attendees. 

We are highlighting this as part of our registration process provided the option for attendees not to have these details publicly available.  This data was only available to other logged in users and via the specific endpoint.  This issue impacts only those attendees that specifically opted not to have their profile visible on the public-facing Attendees page. 

No passwords or other personable identifiable information was exposed.  The team resolved the issues within minutes of being highlighted.  We understand the responsibility of handling personal data and would like to ensure all attendees that this issue was managed with the highest priority.  

As a result of this issue, we are implementing additional measures to review our development cycle practices.  As part of an internal review, we went through the ICO self-assessment for security breaches, at this time we believe this issue does not require reporting.  However, we will reassess if, during a further review, any additional evidence presents. 

“There is no requirement to notify the ICO but you should keep a note of why you came to this decision.  If new information which affects the circumstances of this breach comes to light, you should reassess the risk and determine whether it becomes reportable at that point.”

ICO self-assessment result.

If you have any questions in relation to this, please contact us via the Contact Form on this website: https://www.wordfest.live/contact/