The Age reports that an Australian teenager who discovered a security flaw in the Web site for Public Transport Victoria (PTV) could face charges under Australia's cybercrime act (h/t Sophos).

Joshua Rogers, 16, accessed a database of public transportation users' personal information "using what cyber security experts described as a common hacking technique," according to The Age -- though it's not clear from the article what that hacking technique was.

The database contained customers' full names, addresses, home and mobile phone numbers, e-mail addresses, birthdates, seniors card ID numbers, and partial credit card numbers.


When Rogers contacted PTV last month to alert them to the vulnerability, the organization contacted the police.

PTV told The Age that the database had been "illegally accessed" in what was "the only known attack on its Web site."

Phil Kernick, CTO of consultancy CQR, told The Age that while Rogers did violate the country's cybercrime act by accessing a Web site without authorization, PTV had clearly also failed to protect the data. "[He] wasn't authorized by Public Transport Victoria to do this testing, but he didn't make the data of all of the users of PTV available, they did," he said. "Everyone is being attacked all the time, so if your Web site not going to survive this level of attackd you're going to get owned."

Photo courtesy of Shutterstock.