Australian police investigating teen who found database flaw

Joshua Rogers said the SQL injection flaw allowed access to 600,000 records with personal information

Joshua Rogers of Melbourne is facing a police investigation for finding a database flaw in Public Transport Victoria's website despite notifying the organization of the issue on Dec. 26.

Joshua Rogers of Melbourne is facing a police investigation for finding a database flaw in Public Transport Victoria's website despite notifying the organization of the issue on Dec. 26.

An Australian teenager who notified a public transport agency of a serious database flaw is under police investigation.

Joshua Rogers, 16, of Melbourne, found a SQL injection flaw in a database owned by Public Transport Victoria (PTV), which runs the state's transport system.

The flaw allowed access to a database containing 600,000 records, including partial credit card numbers, addresses, e-mails, passwords, birth dates, phone numbers and senior citizen card numbers.

A PTV spokeswoman said Friday police were notified as a "matter of process" because of the breach. She said she could not comment if PTV wanted to see Rogers prosecuted.

Rogers sent an email to PTV on Dec. 26, which is the Boxing Day public holiday in Australia. He described himself as a white-hat hacker, a term used to describe security researchers who do not mean harm.

"I've found a very serious vulnerability in the website that discloses critical information stored on the server," according to the email, provided to IDG News Service by Rogers. "I'd like to report this vulnerability, but I'm unsure as to whom to contact."

Rogers said he sent the email to 13 employees, including "," an address listed in the WHOIS domain records for PTV's mobile site,, and PTV's CIO.

After not getting a response, he contacted Fairfax, the publisher of The Age, Melbourne's daily newspaper. The Age wrote it contacted PTV about the issue, and Rogers learned he'd been reported to Victoria Police.

A Victoria Police spokeswoman said via email on Friday that it received PTV's report "relating to the unauthorized access to their network."

"As the matter is currently under investigation, we are not in a position to comment," according to a statement.

Rogers said via email that he downloaded two or three records from the database as part of his research, then deleted the data. The credit card information was incomplete, but he said was only missing three numbers.

It's not uncommon for security researchers to go public with vulnerability information if they do not receive acknowledgement from an organization. In Rogers' case, he went to the publisher to tell them of the flaw, but did not release details of the flaw itself or personal information from the database.

In a statement, PTV maintained that it learned of the flaw from a "third party," referring to Rogers, and that the database in question is no longer in use.

PTV maintains the database was "illegally accessed" and that it has also reported the incident to Privacy Victoria, the state's privacy commissioner and data regulator, according to the statement. It said the database is not linked to "myki," the state's transport smart card, which can be topped up with money online.

"PTV can confirm that this is the only known attack on its website," it said.

Rogers said Friday the police had not contacted him yet. "The fact that PTV have contacted the police is no surprise, and I have prepared for that to happen," Rogers said. They want to detract attention from their blunders, so they will go after me."

"I've done nothing wrong," he said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securityPublic Transport Victoriadata protection

More about IDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place