Data security
The latest data scandal involved sensitive details on residents in Oklahoma
R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from vnunet.com
ADVERTISEMENT

US security blunder exposes residents' data

Oklahoma leaves sensitive information in public domain for three years

Clement James, vnunet.com 22 Apr 2008
ADVERTISEMENT

The names, addresses and social security numbers of tens of thousands of Oklahoma residents were exposed to the general public for a period of at least three years.

The information was made available via a badly coded page linked to Oklahoma's Department of Corrections Sexual and Violent Offender Registry.

Anyone with a basic knowledge of SQL could view the list of sexual offenders, and query the database to bring up a host of other information on the residents.

Fredrick Lee, a software security researcher at Fortify Software, said that the problem was down to poor coding.

"This is a classic SQL injection vulnerability," he said, adding that the security lapse could easily have been caught with a simple code review.

The incident could have been avoided, according to Lee, by using some form of automated analysis during the release procedure for the website.

"The sad thing is that vulnerabilities like these indicate to attackers that other related applications and organisations are probably vulnerable as well," he said.

In this case, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma site.

By the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and allied data.

See also:

Infosec Europe 2008
Infosec: SafeNet calls for tougher data laws
UK organisations need to face up to £1.5bn ID fraud problem  22 Apr 2008
NHS
Healthcare IT failing on security
Mobile working pushes up data loss risk  18 Apr 2008
Digital information
Experts encourage total encryption
It's the only way to be sure  15 Apr 2008
eCrime Congress 2008
Data breach bosses 'should go to jail'
It's the only way they'll listen to us, say security experts  08 Apr 2008

All Enterprise Security Technology
Tags: Data Loss, Security

Like this story? Spread the news by clicking below:

Post this to Delicious del.icio.us    Post this to Digg Digg this    Post this to reddit reddit!

Permalink for this story
R E A D E R   C O M M E N T S
Post your comment Post your comment   What is this?

M A R K E T P L A C E
Sponsored links
F E A T U R E D   J O B S
Software Developer/SQL Specialists
United Kingdom | MI5 Security Service
Software Developer/SQL Specialists Working for MI5 you will use your expertise to protect the UK from terrorism, espionage and other threats to national security. You'll be joining a team that provides essential technical analysis and ... more >
IT Services -Systems Specialist
London, United Kingdom | London School of Economics
  IT Services -Systems Specialist  (Business Continuity), Salary: £38,212 - £44,264 p.a. 2 years fixed-term LSE is a cosmopolitan community in the centre of London focusing on the study of the social sciences. IT Services ... more >
Project Manager
Leeds, United Kingdom | NHS Connecting Health
  Project Manager, Leeds, up to £53k  NHS Connecting for Health is an agency of the Department of Health supporting the NHS to deliver better, safer care to patients, by bringing in new computer systems ... more >
Assistant Forensic Computer Analyst - Police Headquarters
Maidstone, United Kingdom | Kent Police
  Assistant Forensic Computer Analyst - Police Headquarters, Maidstone, £20,164 - £23,632 Permanent Contract Digital devices and information communication technology are present in almost every investigation the police service undertakes. Kent Police Digital Forensics Unit ... more >
More job opportunities
Useful links: About us . Privacy policy . Terms & conditions . Site map . Bookmark this site . Feedback . Contacts
Consumer Technology websites:
Active Home Product reviews, competitions, news
Computeractive Software reviews, hardware reviews, buyers' guides, workshops, downloads
Gizmodo the daily gadget blog: technology news and reviews
PC Magazine your personal guide to technology
PCW software product reviews, hardware product reviews, buyers' guides, competitions
WebAct!ve what's happening on the web
What PC? helping you purchase the right computer, digital camera, peripherals, gadgets and more
Blogs:
Test Bed The PCW Labs blog, PCW Inter@ctive A reader blog from PCW. Your views, your comments, your say, Windows Watch Keeping an eye on the latest XP % Vista news
Jobs & Recruitment websites:
Accountancy Age Jobs Accountant jobs, jobs in finance, audit jobs, cima jobs, acca jobs, corporate finance jobs, management accounting jobs, finance director jobs, finance recruitment agency directory, Top 50 accountancy firms, accountant salary survey
Computing Careers IT jobs, Programmer jobs, Developer jobs, IT manager jobs, Project manager jobs, SAP jobs, Oracle Jobs, Java Jobs, IT recruitment agency directory, Top IT Employers 2005
Inquirer Jobs Software Engineer Jobs, firmware developer jobs, electronics engineer jobs
Other titles in the Incisive Media network:
Business Technology websites: BusinessGreen . Computing . Computing Business . CRN . The Inquirer . IT Week . vnunet.com
Business & Finance websites: Accountancy Age . Best Practice . Financial Director . Management Consultancy
© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503