"The security hole was patched on Tuesday, an hour after the newspaper reported it to the responsible company, Ühendatud Piletid AS" Wow, another stunning project financed by Enterprise Estonia (they also help them to "develop the RFID ticket validation service"). Zero talent, and the zero is still rounded up.

Konks lies. Well, he has a company to defent. Such a security hole is horrible to say the least.

"IT security expert Tõnu Samuel told to Eesti Ekspress the case was an example of a classical security hole" It's a classical security hole, because no one uses consecutively numbered string ID's anymore these days in the first place.

This is by the way another reason why I am against the use RFID technology by the government with official documented personalized information on it, because on government projects typically no one cares about it's security or anything else of the project, since no one is to be held accountable when things fail. Not on the government side anyway, but also the company who won the tender is typically in relative save waters with no economic consequences, so who would care about it anyways?

Giulio, yes it is a mistake that may happen to an intern during training, but not in production (hopefully) done by IT professionals with the required expertise. Let's say Google would do such a beginner mistake with one of their applications (Google Docs e.g.) and even if no actual personal data would have been able to fetch (just, say, the directory of files would be shown or something without the ability to actually access it's contents), Google would be slaughtered in public press, hundreds of thousands of users would terminate their service immediately and Google would make some advert losses for some time and politicians would rage a political war against them and possibly fine them. What's the aftermath here? There will be none of them. When something fails where the government is the contracting body, then everyone is hiding and, if required, a third party will be blamed for the unpleasant fame.

A mistake was made & corrected within an hour of it's discovery. The consequences, in practical terms, zero, nada, nothing. Storm in a teacup.

Duch, do you realize that the average security expert is definitely more skilled than a random journalist? This bug was discovered by some journalist whose only skill was changing a URL in the address bar. Guess what else could break... But as Knut says, bugs are normal, who is accountable is the problem.

@Dutch - but how long had the vulnerability been active *prior* to discovery? This kind of beginner-level security mistake doesn't give confidence in the rest of the system; it could be there are other, slightly-harder-to-find vulnerabilities, just waiting to be exploited.

Reminds me of a similar (a bit more sophisticated) vulnerability discovered in Facebook, which made a lot of noise in Australia because a journalist covering the story got briefly arrested in the process. Just google "hacking demo on facebook photos" to get the full story. So it happens kind of everywhere, and goes on to show why beginner's should not be given the right to pilot a turbine aircraft. Tallinn city should get down to understanding that when it comes to storing and protecting private data collected and accessible via open channels, they are complete amateurs so why on earth are they having the pretensions of professionals, pretending they would know how to protect highly private data for 7 years.

Eesti Paevaleht reported today, no surprize, that there are also security loopholes with the "green" farecards. BBN recaps, that according to the paper, this enabled people with a smartphone that supports Near Field Communication (NFC) feature "to download data of other farecard users, while the farecard website had a list with numbers of all stored farecards and transaction history which was also potentially a security risk" and "although the security hole found in the farecard website has been closed by now, there are other loopholes in pilet.ee website that are a potential risk." This time, this concerns the "green" farecards of those who did not personalize their cards, namely non-residents who transfer money to the cards to buy single-trip tickets on buses. BBN continues that "according to the paper, it is possible to steal money from the farecard if one knows the card number" and that "the paper also made a test which showed that all farecards were readable with NFC smartphones which allows potential criminals to obtain farecard user’s data simply by walking past the card." So even the anonymous passengers may be subject to fraud. I assume that this is the (temporary) end of the project as who can not even make sure that the paid transactions to be done are taken place safely, can also pull the whole thing to the garbage chute and which makes also the main argument obselete, why the data "must" be saved for a period of seven years (the argument has been for accounting reasons). Again, zero talent, and the zero is definite and beyond recall rounded up.