Australian Teen Alerts Transit Department To Security Hole On Website… Gets Reported To Police
from the not-this-again dept
For years and years, we’ve been stumped by why website owners try to kill the messenger when someone discovers a hole on their website. It’s happened yet again. Down in Australia, a 16-year-old by the name of Joshua Rogers found a security hole in the Metlink website, which is run by the Transport Department in Victoria. The hole appears to be a fairly large one:
The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne.
Rogers did exactly what a good security researcher should do: he contacted the Transport Department. After waiting two weeks without further response, he went to the press. Upon hearing from a reporter, rather than focusing on closing this massive security hole (and figuring out how to properly encrypt credit card numbers), the Transportation Department told the reporter that it was reporting Rogers to the police.
In other words, the officials there would rather malicious hackers have access to all that info, and are trying to throw the guy who told them they should fix their website in jail. Incredible.