FreeHour insists it never pressed charges against four students who exposed security flaw

FreeHour CEO Zach Ciappara has released a video insisting that his company never pressed charges against four students who were arrested and searched for exposing a security flaw in the app’s backend.

In the video, uploaded to the app’s Instagram page, Ciappara insisted that it was never FreeHour’s intent to get the students in trouble.

He explained that FreeHour reported the breach to the Information and Data Protection Commissioner (IDPC), but from then onwards the case was in the police’s hands.

“Our intent was to report this breach to cover us legally. Our intent was never to get these students in trouble,” he said.

FreeHour landed in hot water on Wednesday after the Times of Malta reported that four students were arrested after highlighting a security flaw in the app’s backend system.

The students said they were scanning the software when they found the vulnerability that could be exploited by hackers.

After emailing Ciappara on this vulnerability and asking for a reward, they were arrested and their computer equipment was seized by police.

Ciappara said that his first reaction to the email from the four students was to speak with developers to ensure the flaw was fixed.

“When someone or anyone manages to gain access to your backend or exposes a vulnerability that puts data at risk, there’s a legal obligation to consult the authorities,” he said.

It was at this point that FreeHour filed a report with the IDPC. “Under GDPR we had to make this report.”