Join 3,572 readers in helping fund MetaFilter (Hide)


How do I blow the whistle without getting involved?
December 3, 2008 6:49 AM   Subscribe

I stumbled on a phpMyAdmin page for a database of personal info along with credit card numbers, hosted by a multinational corporation. I deleted some records. How do I report it without being accused of hacking?

I Googled an old address, and on the first page of results was a phpMyAdmin page with my partner's name, email, and old address. I clicked on the result and was taken to a purchase records database, complete with phone numbers, credit card numbers and expiration dates. I showed my partner the page and asked, "is this your credit card number?" and got a "yes... WHAT???!!!"

I realized I had admin privileges, so I tested deleting a record, and when it worked I deleted my partner and several other records for good measure.

Now I'd like to tell someone about it, but I'm afraid if I email the company, it will turn into a Very Bad Scene. Again, this is a large multinational company, and I don't want to get caught up in this.

Where could I report this, such as a specific person in the media or wherever, who would handle the information responsibly?

My IP address is now all over this thing. Could what I did be considered hacking?

Also, what is the best way to email someone anonymously?
posted by anonymous to Law & Government (23 answers total) 7 users marked this as a favorite
 
What a mess.

Lawyer time. NOW.
posted by By The Grace of God at 6:58 AM on December 3, 2008


Perhaps a good old-fashioned anonymous phone call?
posted by mannequito at 6:58 AM on December 3, 2008


Odds are your access was logged already. You might be better off just telling them whats going on straight out and raise holy hell. I'm pretty sure this is a huge breach of Sarbanes Oxley so they're at fault a bit here too. I doubt they would do anything to you for showing the issue.

If you want to email someone anonymously I'd go to a library or something and use a public computer to set up a gmail account and send an email through that. You could also sit outside a coffee shop with wireless and do the same thing. Technically they might be able to track your mac address so you could spoof that.

You might also be better off contacting the FBI Cyber Crimes division Linky they might have an anonymous line somewhere.
posted by bitdamaged at 7:03 AM on December 3, 2008


oh or anonymously call your credit card issuer. They'll call the bank post haste.
posted by bitdamaged at 7:04 AM on December 3, 2008


as I understand it*, using TOR should allow for anonymous access to websites; you could use it to register a new email address and send the email. Consider checking it out.

That said, it is probably wise to talk to a lawyer before any further action.

*: I can't double check what I remember reading, as my workplace bans anything that might allow me to work around its proxy. I could be wrong.
posted by VeritableSaintOfBrevity at 7:04 AM on December 3, 2008


no more of this and the internet! everything do offline.


get a lawyer!
posted by phritosan at 7:07 AM on December 3, 2008


TOR is more secure, not secure

dont depend on it for criminal(esque) activities.
posted by phritosan at 7:09 AM on December 3, 2008


Christ this sounds kinda bad. Get a lawyer.

"I realized I had admin privileges, so I tested deleting a record, and when it worked I deleted my partner and several other records for good measure."
I'm no expert but this sounds like Fairly Bad Scene coming your way.
posted by quosimosaur at 7:16 AM on December 3, 2008


Could what I did be considered hacking?

I am a criminal defense attorney. The answer to that is YES.

No caveats about me not being or lawyer or this isn't legal advice required because, from what you told us, this is a very clear-cut situation. You need to get your own lawyer immediately, and perhaps you can brainstorm with them how best to inform the authorities / the corporation.
posted by falconred at 7:20 AM on December 3, 2008 [1 favorite]


A coworker and I ran into a very similar situation. We called the lawyers, then called the FBI. What they're doing is WAY worse than what you did. You need to tell someone, but make sure you're protected, too. Call a lawyer, then call the authorities.
posted by geekchic at 7:30 AM on December 3, 2008 [1 favorite]


I can't concieve of any positive outcome in going to the authorities. If you do so, a case gets opened up in which your name is the only name, and you've already confessed to a crime. You're now a criminal. Authorities get paid to put criminals in prison, not to scold lazy incompetent sysadmins and pat criminals on the back. This is a no-brainer, I think.

Dealing with the company is a bit trickier. It all depends on whether their management are hysterical idiots who call the cops, or only semi-idiots who realise they're sitting on a tremendous legal and financial liability and prefer to keep everything on the d/l while they fix the problem. Think back to all the managers you've every worked for; probably this is a no-brainer as well.

If you do nothing, maybe someday someone will find out that the database is wide open. Possibly they'll do a full audit of each and every database transactions since the database was established. They might even call the cops, who are the only ones who can subpoena ISP records and attach a name to an IP, even though doing so will require disclosing to shareholders and customers that private data was negiglently made available, with the ensuing class actions lawsuits putting them out of business.

By all means lawyer up, but do the fucking math here.
posted by a young man in spats at 9:30 AM on December 3, 2008


You might want to use an anonymous remailer.
posted by idb at 9:48 AM on December 3, 2008


I realize this is turning into a chorus, but:

go get a lawyer.

As outlined above, every course of action you can take from here has risks. There's no longer any way around that; what's done is done. Telling someone (company, authorities) has risks. Doing nothing has risks. Worst case scenarios include your criminal prosecution, and there's really no way of knowing how likely that is from what you've said.

If, god forbid, the breach becomes evident, and somebody decides to act on it / investigate, there's probably enough to connect you already. Between existing IP logs and the fact that your partner's record was one of the ones tampered with, there's some decent circumstantial connection.

Don't muck around on the internet. Don't screw with anonymous remailers or Tor. You've already posted your version of the story (from the same IP?) on Metafilter. You're anonymous to all us posting on AskMe, but not to the admins, and not to somebody who comes asking with a subpoena in hand. You'd be surprised, sometimes, what weird dots Google can connect after the fact, and if it connects this one, well, that's bad. This may sound like doomsaying, but it's not all that far-fetched.

Go get a lawyer before you do anything else. This is not a question that you want to rely on AskMefi to answer. I know lawyers aren't cheap, but the downside here is real, and it's substantial.

I am not a lawyer, I am not your lawyer, this is not legal advice -- but it's probably time to go get some.
posted by theoddball at 10:08 AM on December 3, 2008


I had a similar experience, except in this case I received a phishing email from what looked like Apple. Via source code examination, I figured out where the phishing application was stored on the compromised web server and then found the text-based data file that their phishing form was writing to. Surprisingly, about one in every hundred entries was real, actual data with addresses and credit card numbers.

I quickly deleted the file, disabled the phishing form and forwarded the phishing email to a contact at Apple and the FBI.

The next day when I went back to look at the compromised web server, I found that some anti-phishing activist group had replaced all of the phishing forms and files with an HTML file notifying anyone viewing the files that it was a phishing attempt.
posted by camworld at 11:28 AM on December 3, 2008


No one else has mentioned it, so I shall. wikileaks.org
posted by BeerFilter at 11:39 AM on December 3, 2008


I could be wrong, but if there were no password requirements, and the site was publically available, I don't see how you could have done anything 'criminal'. Unless there's more you're telling us, you did not "hack" or "crack" anything.

If there were no passwords involved, or if it was a case where you used your own login information and had somehow been granted admin privileges, then that company holds the responsibility of having provided you that access level. You were functioning within the access level provided by the company.

Certainly you should talk to a lawyer to be sure, but I don't think you personally have much to worry about (unless there is more that you are not telling).
posted by CorporateHippy at 11:50 AM on December 3, 2008 [1 favorite]


Also, what is the best way to email someone anonymously?

Use an anonymous remailer from the library or other public internet spot. Consdering most anon email goes straight into junk I would also fax them something, perhaps straight to their VP of IT or CIO. faxzero.com does this for free and can also be done at the library. You might want to also go through a proxy. I think the hard part will be to actually get the message to someone who will do something about it instead of some secretary who will toss it.

You probably shouldn't worry about getting in trouble. I imagine there are going to be a bazillion IPs logged for this as criminals are constatly doing google searches for this kind of thing. The business will be too embarassed to do anything too public.
posted by damn dirty ape at 12:33 PM on December 3, 2008


CorporateHippy, you may not see it, but the 2002 university admissions hacking incident did not involve passwords. [mefi] I think in the end there were no criminal charges, but they have been filed in other cases.

This is a very similar one where a "white hat" hacker was charged. He pleaded guilty.

Related cautionary tales.

What can I say? Lawyer, lawyer, lawyer.
posted by dhartung at 12:38 PM on December 3, 2008


CorporateHippy, you may not see it, but the 2002 university admissions hacking incident did not involve passwords. [mefi] I think in the end there were no criminal charges, but they have been filed in other cases.

This is a very similar one where a "white hat" hacker was charged. He pleaded guilty.

Related cautionary tales.

What can I say? Lawyer, lawyer, lawyer.

Be that as it may, we're talking about a publicly accessible web page with ostensibly no warnings of any sort. The average person not of a techie background probably wouldn't even realize the ramifications of their actions doing what the original poster did.
posted by prunes at 1:20 PM on December 3, 2008


CorporateHippy: You remember that story about a middle-aged woman who signed up for MySpace under a false identity and taunted a teenage girl to the point of committing suicide?

She was just convicted of hacking, because using a false identity violates the MySpace TOS (which is somehow equivalent to hacking). That interpretation is obviously overbroad, but there it is. A case like this, if it came before a technically naive jury, could easily be called "hacking."
posted by adamrice at 1:24 PM on December 3, 2008


I could be wrong, but if there were no password requirements, and the site was publically available, I don't see how you could have done anything 'criminal'. Unless there's more you're telling us, you did not "hack" or "crack" anything.

This is so very, very wrong. The phrase commonly used in legislation is "unauthorized access". The OP, by his/her own admission, accessed and altered data that they knew they should not have been able to access. The fact that it was accidentally exposed makes no difference at all. They need to talk a lawyer. (IANAL, computer security is part of my job, though).
posted by tallus at 1:34 PM on December 3, 2008


I'm not saying this is the best thing to do, but if you are swayed by the suggestions to quietly close the door and don't mention it again. Maybe you can get yourself into even more trouble by first setting or changing the password so that nobody else can stumble upon it?

I guess you could also claim that you were acting it good faith and you kinda have this MeFi to support your good intent.

Oh and what about the Electronic Frontier Foundation ? eff.org
posted by Xhris at 2:02 PM on December 3, 2008


follow-up from the OP
Thank you so much to the "go get a lawyer" chorus.

My experience most closely resembled that of geekchic. Thanks also to theoddball, prune, By The Grace of God, and anyone else who said "lawyer."

I immediately hired a lawyer who specializes in internet law. It turns out that what was found is larger than I even imagined. It was a massive security breach on the company's part.

My lawyer was able to communicate with the company and will also be taking this to the State Attorney General. I am so glad that I both covered myself and was able to give the breach the attention it needed. Thank you!
posted by jessamyn at 1:12 PM on December 7, 2008 [2 favorites]


« Older Oh man does my toenail hurt! W...   |  Is there any recourse to being... Newer »
This thread is closed to new comments.