Thousands of residents of Oklahoma state in the US have found their personal details have been freely available on the web for three years.
The data includes their names, social security numbers and other personal information.
The source of the leak is Oklahoma's Department of Corrections website.
Anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by Oklahoma's Department of Corrections (DoC) website.
Amending the long URLs returned by the site, a hacker could retrieve tens of thousands of social security numbers and allied data from the site.
"This is a classic SQL injection vulnerability," he said, adding that the security lapse could easily have been caught with a simple code review.
According to Lee, had some form of automated analysis been used on the site, the incident could have been avoided.
"The sad thing is that vulnerabilities like these indicate to attackers that other related applications and organisations are probably vulnerable as well," he said.