Joshua Rogers contacted PTV about the vulnerability on December 26. Photo: Simon Schluter
A Melbourne schoolboy who exposed serious cybersecurity weaknesses within Public Transport Victoria’s systems by hacking its website to unearth a large store of personal data could be charged under the cybercrime act.
Joshua Rogers, 16, discovered an extensive database containing the personal details of public transport users in Victoria, using what cybersecurity experts described as a common hacking technique.
A self-described ‘‘security researcher’’, he contacted PTV on Boxing Day to alert them to the site’s vulnerability, but got no response until Monday, following inquiries by Fairfax Media.
The database contained a large amount of personal data including full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and partial credit card numbers of customers of the Metlink public transport online store. The store was closed down in 2012 when PTV began.
Victoria Police began investigating the security breach on Tuesday. It is understood the e-crime squad is investigating. Privacy Victoria has also asked for an urgent briefing on the matter.
‘‘Victoria Police has received a report from Public Transport Victoria relating to the unauthorised access to their network. As the matter is currently under investigation we are not in a position to comment,’’ a spokeswoman said.
Public Transport Victoria said the Metlink database had been ‘‘illegally accessed’’ and that it was ‘‘the only known attack on its website’’. Fairfax Media gave PTV time to secure its site before publishing.
The breach occured just weeks after the Victorian Auditor-General warned government departments that they were woefully ill-equipped to combat cyber attacks. In a report tabled in state parliament in November, the Auditor-General found there was ‘‘a low level of awareness of how each agency’s ICT systems would likely perform if subjected to a cyber attack’’.
The audit identified well over 100 information security breaches and lapses during penetration testing – or authorised hacking – of government websites.
‘‘The results of this audit should serve as an important reminder to all government departments and agencies of the need to remain vigilant in monitoring and testing of the security of their ICT systems,’’ Auditor-General John Doyle wrote.
Phil Kernick, chief technology officer of cyber security consultancy CQR, said it was evident that Joshua had committed an offence because accessing a website without authorisation was illegal under the cyber crime act, but he said PTV had failed to protect Victorian public transport users’ personal data.
‘‘[Rogers] wasn’t authorised by Public Transport Victoria to do this testing, but he didn’t make the data of all of the users of PTV available, they did,’’ Mr Kernick said.
‘‘Everyone is being attacked all the time, so if your website is not going to survive this level of attack you’re going to get owned.’’
In 2011, First State Super was widely criticised for setting police on a researcher who pinpointed security flaws in its systems. NSW Police subsequently dropped the matter.