Man Charged For Notifying USC of Vulnerability
Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data.
A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June with news of a flaw in the Web server and database system used to accept online applications from prospective students. SecurityFocus notified the University of Southern California of the vulnerability and worked with the university to close the flaw before publishing an article about the issue.
“It wasn’t that he could access the database and showed that it could be bypassed,” said Michael Zweiback, an assistant U.S. Attorney for the U.S. Department of Justice’s cybercrime and intellectual property crimes section. “He went beyond that and gained additional information regarding the personal records of the applicant. If you do that you are going to face, like he does, prosecution.”
The clear message: Next time, don’t tell.
[Update: The story quoted is Rob Lemos, “Man Charged With Accessing USC Student Data.”]
[2nd Update: Rob Lemos has a good three page story on this, “Breach case could curtail Web flaw finders.”]