Lucian Constantin reports:
A government-run website promoting the OV-chipkaart smart card, which is currently being introduced in public transportation across The Netherlands, has been found leaking sensitive private information on over 168,000 passengers. A grey-hat hacker proved that he could access the name, address, birth date, phone number or e-mail for anyone in the database, through SQL injection.
According to Webwereld, who covered (in Dutch) the security breach in detail, the vulnerable www.ervaarhetov.nl website was created to encourage a quicker OV-chipkaart adoption in the Gelderland, Overijssel and Flevoland provinces.
Read more on Softpedia.
Thanks to the reader who sent in this link.
Update: Karin Spaink’s blog indicates that the stored data may have included “possibly their passport number and payment method.” The government reportedly closed the site after being notified of the leak. Karin adds: “The SP (a political party) will motion for a freeze: this is the umpteeth vulnerability/leak with regard to the OV chip card.”