Joshua Rogers, 16, a self-described white-hat hacker, found a security hole in an Australian public transit website and reported it to the site on Boxing Day.
The site, run by Public Transport Victoria (PTV), didn't respond, so Rogers' next move was to report it to the media, who in turn contacted PTV, who in response reported Rogers to the police.
Now, the teenager could be charged under Australia's cybercrime act, reports The Age, an independent Melbourne news outlet.
According to The Age, Rogers hacked the site using an unspecified hacking technique to access a database that held personal data including full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors' card ID numbers, and nine-digit credit card extracts of customers of the Metlink public transport online store.
PTV was formed in 2012, taking over from the Director of Public Transport and the Department of Transport and taking responsibility from the Metlink online storefront for the marketing of public transport in Melbourne and responsibility for the myki ticketing system.
The site in question is the primary online source for information about train, tram and bus timetables, as well as for current and planned public transport projects.
The Age subsequently reported that about 600,000 entries were found in the hacked database.
On Tuesday, PTV responded to a media inquiry by calling Victoria Police, who began to investigate, enlisting help from the e-crime squad.
PTV reportedly said that the Metlink database had been ‘‘illegally accessed’’ and that it was ‘‘the only known attack on its website’’.
The media outlet that had initially contacted the PTV, Fairfax Media, gave PTV time to secure its site before publishing news about the security hole.
Security experts told The Age that the hole which allowed Rogers to poke his finger into the database is a common, easily patched one.
Should PTV have thanked Rogers for his help in finding the hole, instead of reporting him to the police?
Is it a "breach" when a white-hat hacker finds and reports a hole, or is it a public service?
It's both, really.
True, a public transportation service such as PTV deserves to be taken to task over leaving an easily fixable hole wide open.
That doesn't take the onus off of Rogers when it comes to responsible pen-testing, however.
He's obviously astute enough to know how to hack a site.
He should also be savvy enough about the subject of penetration testing to know that it's illegal to poke your nose into other users' data without asking your target first.
When PayPal started its bounty program in June 2012, it laid it out like this: we won't set our lawyers on you, white-hat hackers, or ask the police to investigate you, if you refrain from, say, attacking us with a distributed denial-of-service (DDoS) attack or poking your nose into other users' data without asking our OK first.
That certainly seems like a reasonable request.
After all, as penetration testers will tell you, their work is most certainly not a passive, risk-free endeavor.
Pen testers can really mess up a site: crashing servers, exposing sensitive data, corrupting crucial production data or causing other damage by mimicking the actions of malicious attackers.
Rogers is only 16. Hopefully, the authorities won't come down too hard on him.
Hopefully, they - or somebody - will teach him the lessons of responsible pen-testing and help him along the path to becoming a valuable public asset: i.e., a white-hat hacker who treads carefully, does no harm, and doesn't cause his targets to freak out while he's hunting for bugs and trying to help them.