Oklahoma Department of Corrections Leaks Sensitive Data
Basic Programming 101: secure your data. Basic Programming 201: when someone reports a problem, test the fix instead of just slapping on an adhesive bandage. Tens of thousands of Oklahoma residents had their sensitive data - including social security numbers - made available to the general public. All you needed was some basic SQL knowledge and some free time.
And get this - the problem wasn’t discovered for three years. A programmer reported the problem, explaining how he could easily change the page his browser was pointing to and grab their entire database. And due to the way it was programmed, with the SQL data in the URL, malicious users could have tampered with the database by changing data or even entering someone who wasn’t there.
Did we mention this is the Sexual and Violent Offender Registry?
The programmer reported the problem and the bad programming was supposedly fixed. Only it really wasn’t, because the “fix” was so minor. Like they changed something to a capital letter minor. So he contacted them again, letting them know that their simple fix wasn’t enough. How did he get them to act? By letting them know that Department of Corrections employee data was available, too.
If you understand even the basics of programming, you should read the entire article. The mistakes were quite basic and frankly, embarrassing for any programmer worth his or her salt.
image: mike23 on flickr (not the coding from OKDOC)
Tags: adventures in technology, dumb programmers, oklahoma leaks social security numbersRelated Stories
POSTED IN: Dumb Business
0 opinions for Oklahoma Department of Corrections Leaks Sensitive Data
No one has left a comment yet. You know what this means, right? You could be first!
Have an opinion? Leave a comment: