Scouts take down database due to 'security vulnerabilities'
Full security audit for Compass database
The Scouts Association has taken down its Compass database, which holds the records of nearly half-a-million young people and adult volunteers, after discovering a "potential security vulnerability," The Register can reveal.
In a letter seen by El Reg and addressed to members this morning, the association said the decision was taken following "investigations into an issue raised by one of our members".
It said the decision was made "to ensure that the potential vulnerability cannot be exploited."
The system will remain offline until all security issues are resolved and undergo a full audit at source-code level, combined with in-depth penetration testing, said the letter.
Last week The Register revealed that serious concerns had been raised over the security of the Scout Association's database after a number of flaws were discovered by members.
One source told us: "If these bugs are being found by regular users, I am pretty sure the vulnerability assessment or code checking was poor."
Since the publication of the story, a number of members have contacted El Reg to echo similar concerns.
Responding to the decision to take the database down, another source told us today: "As a Scout leader and an information security professional, I and many others have been concerned over this system. It is good to see that common sense prevailed in the end to properly test this high-profile high-risk database."
A spokesman from the Scouts Association said:
“Some concerns have been raised as to the security of Compass, which is a system accessible only to Scout Association Members. These concerns are around the extent of member access to data.
"We take all of these concerns seriously and we are investigating the concerns thoroughly with our contractor. In the meantime we have disabled member access to the system as a precaution whilst we investigate further.
"There is no evidence at all to suggest that there have any breaches in security.
"There is an ongoing process designed to test the security of the system run by world class contractors. We continue to work with these contractors to keep our data safe.”