OV-site leaks personal data 168,000 passengers

OV-site leaks personal data 168,000 passengers
OV-site leaks personal data 168,000 passengers 

By Brenno de Winter 
May 18, 2010
(Google Translation from Dutch)

An ordering site for personal OV-chip cards show leak. Hackers have 
long-term access to information of 168,000 passengers. The SP wants the 
minister to account.

A website to entice travelers to a personalized smart card to buy 
appears to be open. Attackers have the personal data of over 168,000 
passengers got owned.

It is a promotional website with the provinces of Gelderland, Flevoland 
and Overijssel people in public transport to get. On Experience the OV 
people can sign up for coupons, a personalized smart card or a special 
trip for their product OV-chip card.

Leak site

An error in the website is wrong to import too much information is 
returned. This makes it possible to communicate directly with the 
database. So not only can the information be searched, but it is also 
possible to delete data, add or change. These so-called SQL insertion 
attack is relatively easy to exploit and is actually a basic mistake to 
create a site.

In the database in different places personal information about 
individuals, for example, a personalized smart card have requested. In 
total, over that for 168.000 people, of which at least the name, 
address, birth date, email address and telephone number to call. There 
are also database fields to store numbers and identification documents 
indicate some tables on an agreement for payment.


Best Selling Security Books and More!
Shop InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods