(AP) A San Francisco hacker says he found security lapses in The New York Times‘ internal computer network that exposed Social Security numbers for op-ed page contributors and other sensitive files.
Adrian Lamo, 21, a part-time Internet security consultant, said Tuesday that he hacked the newspaper’s Web site and snooped around numerous times about 10 days ago.
He said he found at least seven misconfigured servers, allowing savvy users to enter the newspaper’s private network through its public Web site. He said he browsed through names and Social Security numbers of the paper’s employees, home delivery customers’ orders, and contact information used by writers and editors on the metro and business desks.
He said he accessed a database of 3,000 contributors to the Times‘ op-ed page, which included Social Security numbers for celebrities and government officials.
Lamo said that the SecurityFocus Web site notified the newspaper of what he had done and that the newspaper patched the holes he found but did not acknowledge the incursion.
Christine Mohan, a spokeswoman for the Times, confirmed Wednesday that SecurityFocus had notified the newspaper of the possible security breach on Tuesday.
“Right now we’re investigating the situation. We did identify the flaw, and we believe we were able to address the security issues that were raised,” she said.
Mohan said she could not comment on Lamo’s specific claims of what information he was able to access because “we’re determining what information may have been exposed. It’s an ongoing investigation. We take security very seriously, so we’re really putting a lot of attention to it right now.”