A 16-year-old security expert has demonstrated that a website of Public Transport Victoria, the authority responsible for public transport in the Australian state, has exposed the personal details of users.
According to The Sydney Morning Herald, Joshua Rogers, who considers himself a white hat hacker, has identified a vulnerability in the Metlink website, which provides information on public transport. The site was the Transport Department’s main portal until 2012, when Public Transport Victoria was launched.
Rogers revealed that he had exploited a vulnerability that allowed him to gain access to a database containing names, addresses, phone numbers, email addresses, dates of birth, card ID numbers of seniors and even nine digits of credit card numbers. The website’s database is said to have contained around 600,000 entries.
The security expert hasn’t provided any details on the flaw, but he says it’s not difficult to patch.
He notified Public Transport Victoria of his findings, but he didn’t get a response. The organization took action only after being contacted by Fairfax Media. The matter has been reportedly referred by the transport authority to Privacy Victoria and the police.
PTV representatives say they’ve made sure the information is no longer accessible. They’ve also clarified that the compromised database was not linked to online accounts for myki, the smartcard ticketing system used for public transport in Victoria.
On the other hand, experts interviewed by SMH say that if Rogers managed to hack the website, it’s likely that someone else had also done so. It’s possible that the information is already out there, considering that this type of personal data could be highly valuable for cybercriminals.
The information stored in the Metlink database can be abused for identity theft, and even to reset passwords for online banking accounts.