They often find them, and usually get a complimentary legal threat or outright lawsuit to go with it.
Recently, a Minnesota Public Radio reporter went digging, and indeed found records exposed. The records in question were I-9 processing forms held by Texas-based Lookout Services. The undisputed truth seems to end about there. The reporter wrote about the incident, and the attention the incident stirred caused the entire state of Minnesota to stop using Lookout Services for I-9 verification. Lookout Services responded with a lawsuit, essentially claiming that MPR illegally accessed the data.
Now, MPR claims it didn’t need to authenticate in order to access the data. Lookout Services supposedly disagrees, according to a great article by minnpost.com reporter David Brauer, which gives excellent background into the issue. My interpretation is this: an authenticated connection was used to find a URL that granted access to data without authentication. For instance, most modern web applications determine if a login session is established on every request to the website. It is possible to ‘omit’ or ‘forget’ to check on certain requests, and just hand the content over. If I had to bet, I’d bet that the reporter found such an omission, then ran with it.
Was it illegal to do so, if that indeed is what happened? Maybe! Which is why reporters should really tread carefully when trying to ‘create news’.
This isn’t a recent phenomenon either.
In October of 2008, a WHRW campus news reporter, while reportedly walking through campus, stumbled upon an unlocked room with the door taped open. The room reportedly contained thousands of student records. The reporter announced the “breach” on the radio and blogged about it. The University then began a criminal investigation, which involved the district attorney, per this reporting:
The room was apparently several feet off the ground on a maintenance catwalk, and the reporter didn’t simply ‘stumble upon’ it. Was it a ‘good thing’ that this data storage issue was brought to light? Maybe, but was it done properly? We didn’t even add this incident to the database, although the option to do so isn’t exactly off the table.
Sometimes these things go without bickering between the reporter and the breached entity, but usually only when the breach was wide open and it is clear that the reporter did indeed just happen to stumble upon it.
Searching for data breaches isn’t something we at OSF have ever really condoned. It falls in a grey area for certain. Even using search engines to find the data, such as utilizing public resources to find publicly accessible data, is somewhat questionable as the act itself mirrors what an ID thief would do.