I stumbled on an interesting article today about data privacy, or really the lack thereof, for registered sex offenders in Oklahoma (and ultimately the State’s government employees as well). It seems that anyone on this list, or any other offender list in OK, has had their SSN numbers exposed on the Internet for the past 3 years.
…The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases.
What I find interesting is that a feeble attempt to protect this information was made at first. It wasn’t completely corrected until the writer of the article pointed out to the Department of Oklahoma Corrections that it wasn’t just criminals whose SSN numbers were exposed but also private data on the government employees could be found and downloaded easily.
Shortly after discovering this problem (thanks to reader AJ, who hesitantly pointed it out), I spent the following day working my way up the DOC’s call tree. Eventually, I found my way to George Floyd and explained how bad of an idea it was to have a SQL query as a parameter…
The following day, both the SVOR and Offender Search were taken down “for routine maintenance”. Great, I figured, they discovered an overlooked hole and were working to patch it up. However, when the sites came back up, I noticed that the “print-friendly page” still had a SQL query in the URL. Putting the “social_security_number” in, however, no longer displayed social security numbers. It took me all of ten seconds to figure out a way around their fix. This slightly-modified URL brought back all 10,597 SSNs once again.
…I emailed again, this time explaining the problem much more clearly and advising in BOLD, RED, CAPS that the “roster page” should be taken down immediately. I also demonstrated the power of the ALL_TABLES table, the contents of an “interesting” table named MSD_MONTHLY_MEDICAL_ACTIVITY, and how even their information was available for all to see…. That, apparently, did the trick. Soon thereafter, the sites underwent “routine maintenance” and the “roster pages” were no more. I guess they weren’t too thrilled about having their personal data up on the ‘net for all to see