Late last year, a 16 year-old school boy on summer holidays found a simple security flaw in Public Transport Victoria's (PTV) website. The flaw the high-schooler discovered is commonly known as a MySQL error, and it is ridiculously simple to fix. With teenage curiosity at play, Joshua Rogers managed to access the government server, using a process known as SQL injection.
Due to the PTV's security oversight, databases of personal information of over 600,000 users – including full names, emails, addresses, phone numbers, dates of birth and nine digits of their credit cards – were accessible online. And if the young wunderkind could access those databases, it meant that far more nefarious and potentially criminal types could illicitly access the databases as well.
(H/T Charles WT)