The Information Commmissioner’s Office (ICO) and Brand New Tube (https://brandnewtube.com, BNT) face questions after whistleblowing information revealed damning new information about the scale of BNT’s recent data breach. British video sharing website Brand New Tube was hacked in 2020, and again earlier this month by a different group. The hackers emailed users and posted some details online. However, based on information MHN received from a whistle-blower last night, BNT’s disclosures on the scale of its security problems and the recent hack are seriously incomplete. Right now, if you have ever uploaded an identity document to BNT for monetisation, it is likely available online. Disturbingly, it has been quite hard to get the ICO to do something about this. The poor communications and processes reflect badly on Head of Communications Tim Bowden and Chief Executive John Edwards, albeit not as badly as on Brand New Tube CEO Muhammad Butt.

A driving license of a BNT user available from BNT CDN servers this morning, anonymised by MHN.

Obviously, you would expect the ICO to do something about this pretty promptly. I got in touch this morning with their press office by email. I got a boilerplate message back. Now, just to explain the ICO are embarrassed because last week they wrongly told MHN in writing that Brand New Tube had not disclosed the hack. This was wrong and the ICO had to withdraw it. However, the story has moved on and they need to actually read inquiries. So I called them up and had a few words. I sent in a further inquiry. I just got another boilerplate, “We have nothing further to add to our statement”. As opposed to, for example, “thank you for this new information – we confirm it has been passed urgently to the relevant team to see what can be done and will be looked at today”.

Based on the information from the whistle-blower, Brand New Tube has failed to disclose the fact that it has never deleted user documents, and never put them, y’know, behind a password. It appears that they can all be downloaded. This morning, multiple bloggers and journalists have downloaded multiple identity documents – taking appropriate records for evidence.

The passport above was downloaded this morning. There was no hacking. I just typed in the URL to a BNT server. They have published these peoples’ documents to the world. Then I forwarded it to the ICO. I have anonymised it for this article, and before processing the data, I considered the Editor’s Code and MHN’s policies in accordance with the Data Protection Act 2018 (DPA). I consider it reasonable and in the public interest to process this document to report it to the ICO. I consider it reasonable and in the public interest to process it in anonymised form in the article in order to give a concrete example of BNT’s failure to appreciate or disclose the scale of the breach, and of their security issues. Others are doing the same. There are thousands of ID documents. Anyone who has ever monetised at BNT as far as we can tell. All available online without so much as a password prompt.

Brand New Tube has not disclosed this to the ICO, for the obvious reason that Brand New Tube are too stupid and negligent to fully understand what they have done. Even after being hacked for the second time. Fortunately, after I gave up on Tim Bowden’s arrogant and blasé press team, I called into customer services who seemed to pick up on the seriousness of the issue and took details to make an immediate, intra-day referral. I remain tempted to doorstep Edwards and Bowden, and I suspect they will be answering questions about this to a Select Committee in due course. Even so, the helpful man on the phone was stymied by what seems to me to an inflexible system for triage, unsuited for urgent matters. That reflects on John Edwards, and reflects badly.

I did consider delaying this post, but after some thought I decided that it needs to go up now because the ICO are being so dilatory, in order to warn users. It is too late to stop the data being stolen. A vast number of hackers have had weeks to review all this. The whistle-blower who contacted me was by no means the first to know.

I advise anyone who has uploaded identity documents to Brand New Tube to make an urgent complaint to the ICO. If you have experienced identity theft since you uploaded your documents, MHN recommends that you contact solicitors to consider a claim in damages. If you are a BNT user who uploaded a document, you should also complain to the ICO here.

I want to say this again. No hacking was needed. No passwords. No dramatic screens full of green letters. No flashing screens with decrypting fire wall and ‘access denied’ flashing in red. No visits to ominous darknet forums. Just type the URL into the browser. The hacker known as 4Chan (seen below in a video) did not need to spend his talents breaching BNT’s defences because there were no any defences. Whilst I do not approve of hacking, in this case the hackers known as Thrax and Fuckery have exposed something of great public interest and concern. I would add there are other concerns about Brand New Tube and Sonia Poulton from other sources so there are more revelations to come.

Meanwhile the hacking community seems hard at work. Let us hope they have not been ‘scampering’ into other confidential data like Sonia Poulton or Muhammad Butt’s emails – or at least if they have the consequent leaks are of public interest materials.