Still, census data should not be accessible from a public facing web site. That's just amateur hour. You should really assume that anything with a POST form is vulnerable.
Agreed. Any submitted data should have been immediately encrypted with a public key who's companion private key was stored offline. It should have then been immediately transferred to a secondary box which was setup with a single function of accepting and storing the data. Ie a box which you can't query over the network for data.
As soon as the census closed, the relevant boxes should have been taken offline. The data moved to a "secure" location, and the original boxes wiped and destroyed.
Considering the data that was being collected, I don't think this is overkill.
well its got to go in somehow, perhaps a facade that exposes only preparedstatements procs could have prevented this, but equally perhaps they exploited the facade, the transport mechanism to the facade, the db driver..... who knows, what is known is that theres a path, however narrow
No, they should have processed the data on a secure network, then burnt CDs with the final results.
That's how Australia treats important (Top Secret classified) data. I don't know how classified our census is, it should be treated with a bit of respect.
Most websites seem to have at least one XSS or SQL injection hole. Nearly all have CSRF flaws.