Public Transport Data Leak Reported
A security hole in the public transport ticketing e-service pilet.ee was discovered at the beginning of the week.
The flaw, found by the Eesti Ekspress weekly, allowed users who were logged on to access other users' information by changing a number in the browser's address bar. It is unrelated to security concerns regarding Tallinn's new farecard system, which is currently being evaluated by the Data Protection Inspectorate.
Eesti Ekspress reported today that the data available made it possible to link the ID numbers of other users to the types and times of their December ticket purchases.
The security hole was patched on Tuesday, an hour after the newspaper reported it to the responsible company, Ühendatud Piletid AS. The company's director Kristjan Konks said the threat was not serious.
“The access was limited to ticket receipts. They included no personal data and could not be connected to any specific person,” he said.
As the newspaper correctly pointed out, however, it is very easy to link an Estonian ID number with a person's name using a simple Google search. Pilet.ee not only provides tickets for public transport in Tallinn and Tartu, but also those for local commuter trains, some attractions such as the Tallinn Zoo and Botanic Garden, and use of massage chairs.
IT security expert Tõnu Samuel told to Eesti Ekspress the case was an example of a classical security hole. Programming an application to extract all the loose data would take a matter of minutes, he said.