I've sent FOIA requests to various public institutions in my area.
I'm only asking for the schema of the SQL databases their financial services might be using (column name for every table for every database).
I'm getting answers along the line that what I'm asking for is a security risk, therefore the organization will refuse my request.
I'm not a DBA. I use MySQL to process data in the public interest, but am only beginner level. I'd like to understand exactly how knowing only the schema of an SQL database could be a security risk. The general guidelines detailed in the answer to this question don't mention it.
Thank you very much in advance for your help!
Best Answer
Let's suppose the institution does send me a listing of all the tables and their columns. Even though I don't have the actual data, I can now attempt social engineering attacks to convince insiders into giving me whatever data I want.
The request would sound much more legitimate, because I could ask for very specific pieces of information using the actual table names. If I were to find someone with access to the database and convince them that I'm a higher-ranking employee (e.g. their manager or the CEO), I could make a legit-sounding request for sensitive information.
You would be surprised how often this happens in a corporate environment. Just having the metadata for a database exposed can be a big security risk.