White hat hacks into Public Transport Victoria website

January 8, 2014 |

The Age reports in Schoolboy hacks Public Transport Victoria website how a 16 year old, Joshua Rogers, hacked into the Public Transport Victoria (“PTV”) website. The article notes that after Joshua notified the PTV of the security flaws it kindly notified the police and the Privacy Commissioner.  The reasons were not provided.  It will be interesting to see how both guardians, one of law and order and the other of privacy, will respond to the challenge.  Given PTV’s database contains vast amounts of personal information, including credit card details,the reported inadequacy of its on line security is a major concern.  Hopefully the Privacy Commissioner will take a robust approach when investigating this alleged failing. It would be fascinating to see what the results of a Privacy Impact Assessment by the PTV will reveal. Of course that won’t be made public.  Assuming it happens.

The article provides:

Personal information about public transport users in Victoria has been exposed to potential identity theft because government authority Public Transport Victoria failed to secure its website.

The security flaw in the PTV website was discovered by schoolboy Joshua Rogers, 16, who used a simple hacking technique to unearth a database containing the personal records of customers of the former Metlink online store.

The database includes full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and nine-digit extracts of credit card numbers.

Joshua contacted PTV last month to warn it of the site’s vulnerabilities. On Tuesday it referred the matter to the police.

Joshua, a self-described ”white hat” security researcher, said he was motivated by a desire to improve online security. He first contacted PTV by email on Boxing Day, but received no response. He later contacted Fairfax Media.

More than a week after Joshua made contact with PTV, it still had not responded, but this week it referred the matter to Victoria Police and Privacy Victoria following inquiries by Fairfax Media.

The method Joshua used to enter PTV’s site has been described by cyber security experts as one that is easy to guard against.

It is not known if others have previously hacked the website, which is the primary online source for information about train, tram and bus timetables, myki, and current and planned public transport projects. Metlink was the Transport Department’s ”shop front” for public transport users before Public Transport Victoria’s formation in 2012. An estimated 600,000 entries were found in the database.

Phil Kernick, of cyber security consultancy CQR, said PTV had failed to take proper care to secure its site from potential hacking.

”It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Mr Kernick said.

”So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”

Ty Miller, director of Threat Intelligence, which locates security flaws in websites so they can be fixed, said the type of personal information hidden on PTV’s site was sought by criminal hackers.

”Most of the stuff is personally identifiable information that is often used for things like identity theft, for example, ringing up your bank, and then answering their basic questions – like, ‘what’s your birthday, what’s your address’,” Mr Miller said. ”That then allows you to maybe reset a password for internet banking and then make fraudulent transactions.”

Fairfax Media gave PTV time to secure its site before publishing.

A spokesman said the personal data was no longer accessible or available via any online system. He added that the database was not linked to myki online accounts and that no usable credit card details were stored in the database.

Leave a Reply