Public Transport Victoria is now seeking to have a schoolkid charged for cybercrime, despite said schoolkid alerted them to a security vulnerability that would allow someone to access the personal information of nearly 600,000 public transport users.
The database was for the old Metcard store – which was shut down as part of the transition from Metlink to Public Transport Victoria – and contained, according to The Age, full names, addresses, phone numbers, email addresses, Senior Card ID numbers, and partial credit card numbers. The flaw – described as being a very common problem – has since been fixed by PTV.
Joshua Rogers, 16, said that he found the vulnerability after hitting an error page when trying to find the price of Myki tickets for Boxing Day. “Just from basic instinct I knew what the error meant and how it could be leveraged for database access,” he told the ABC.
Legally speaking, Rogers did break the law because he illegally accessed the database because he wasn’t authorised to do so. But I’m in the view that it would be a mistake to charge him. He found the problem and alerted PTV. If he didn’t, then I wonder how long before it was found by someone else – especially when a recent report from the Victorian Auditor-General found more than 100 problems across the entire State Government’s IT infrastructure.
Just be thankful that he accessed the database and not someone else. Otherwise, there would be a total shitstorm if that information was dumped online.