The names, addresses and social security numbers of tens of thousands of Oklahoma residents were exposed to the general public for a period of at least three years.
The information was made available via a badly coded page linked to Oklahoma's Department of Corrections Sexual and Violent Offender Registry.
Anyone with a basic knowledge of SQL could view the list of sexual offenders, and query the database to bring up a host of other information on the residents.
Fredrick Lee, a software security researcher at Fortify Software, said that the problem was down to poor coding.
"This is a classic SQL injection vulnerability," he said, adding that the security lapse could easily have been caught with a simple code review.
The incident could have been avoided, according to Lee, by using some form of automated analysis during the release procedure for the website.
"The sad thing is that vulnerabilities like these indicate to attackers that other related applications and organisations are probably vulnerable as well," he said.
In this case, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma site.
By the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and allied data.
UK organisations need to face up to £1.5bn ID fraud problem 22 Apr 2008
Mobile working pushes up data loss risk 18 Apr 2008
It's the only way to be sure 15 Apr 2008
It's the only way they'll listen to us, say security experts 08 Apr 2008
Security not being built-in to applications, warns Fortify 01 May 2008
Debian and Ubuntu affected by 'insecure randomness' flaw 21 May 2008Company recommends tools and best practices to prevent attacks 26 Jun 2008
Company poised to join research project designed to optimise carbon capture processes 21 Aug 2008
Call for an investment programme on a scale of the Apollo projects as party pledges to increase pressure on government to toughen up Climate Bill 21 Aug 2008
Businesses using old PCs as thin clients are struggling to achieve expected carbon savings 21 Aug 2008
More news
The impending global water crisis can only be averted if the private sector takes advantage of the water investment opportunities on offer 21 Aug 2008
As the reputational risks associated with greenwash become more apparent every day, Paul Thomas asks why some firms still find themselves overstating their environmental credentials 20 Aug 2008
Emissions trading is widely touted as one of the best mechanisms for tackling climate change, but how do these schemes work and how will your business be affected? Tom Young investigates three of the emissions trading schemes having an impact on UK firms 19 Aug 2008 More in-depth
Post your comment
Send an email to the Business Green editor at feedback@businessgreen.com
