Independent inquiry into WINZ privacy breach

Email
Print

Independent inquiry into WINZ breach

3News NZ

A massive security breach in the public computers inside WINZ offices was exposed by blogger Keith Ng last night (Getty)

A massive security breach in the public computers inside WINZ offices was exposed by blogger Keith Ng last night (Getty)

By 3 News online staff

Ministry of Social Development chief executive Brendan Boyle says an independent inquiry will be launched into the Work and Income New Zealand (WINZ) kiosk privacy breach.

The massive security breach involving the public computers inside WINZ was exposed by blogger and freelance journalist Keith Ng last night.

Mr Ng was able to access thousands of personal files, including details of at-risk children, adoption, foster parents and people owing money to the ministry.

He says he simply used publicly accessible WINZ kiosks at two different locations in Wellington, and was able to access several thousand files.

Mr Boyle says “what happened is simply unacceptable”.

Alongside the independent inquiry, an internal taskforce will be established to look into the vulnerability in the computer system.

Mr Boyle says that the ministry regularly asks firms KPMG and Dimension Data to test the vulnerability of their websites by attacking them, and will ask for the intensity of these penetrative tests to be increased.

But Mr Boyle also says that Dimension Data had already tested the kiosk computer system without discovering the security hole.

The public kiosks inside WINZ offices were first trialled in late 2010 before being rolled out nationwide.

All 700 kiosks across the country have now been shut down.

‘An early warning for future systems’

Social Development Minister Paula Bennett says she considers the breach “very serious”.

“None of this is acceptable,” she says.

The security failings were exposed following Ms Bennett’s announcement that there will be an increase in information sharing between Government agencies in future, to help protect vulnerable children.

Ms Bennett has tried to allay fears that greater information sharing will lead to further privacy breaches.

“If anything, this has given us an early warning for our future systems,” she says.

“The computing system unveiled in the white paper [on vulnerable children] will be a completely different system.”

‘The buck stops with me’

Mr Boyle says he has to take responsibility for the breach.

“The buck stops with me, I’m the chief executive,” he says.

“It’s embarrassing and unacceptable. We need to take lessons from this.”

However Ms Bennett says it’s too early to apportion blame.

“It's too early for me to say what went wrong. It's too soon for us to put our finger on it.”

Ms Bennett has apologised for the lack of security surrounding people’s personal information.

“I apologise to everyone now. These people have trust in the ministry and we’ve let them down,” she says.

“The chief executive apologies to me and I accept that and now I pass that on to the country.”

Member of public went to MSD before journalist

The Ministry of Social Development says a member of the public alerted them to “some kind of breach” last week, and tried to extract money from the ministry by threatening to notify the media.

But a beneficiary advocate says the ministry was first advised of the flaw more than a year ago.

"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she told Radio New Zealand this morning.

3 News

Post a Comment

Before commenting, please take the time to read our moderation guide


(Won't be published)



Comments

15/10/2012 11:54:04 p.m.

zaine logan wrote:

I once purchased an old winz computer from a government auction,To my amazement the hard drive had not been formatted and I was able to access files that were not meant for public viewing, I did the right thing and formatted the drive myself.
It now makes me wonder how many systems sre out there with the information still on the drives? look what happened to Paul White who had citibanks drives with sensitive info on them, He was killed in a questionable accident.

15/10/2012 7:20:09 p.m.

Save the children from govt incompetence wrote:

Meanwhile Key and Shearer are still looking for a GCSB "tape". Despite tape being a superseded recording and storage medium, replaced in most government agencies by digital file keeping systems (years ago). Small wonder there have been so many government security breaches in New Zealand. Digital technology is prone to easy manipulation, weak government information storage systems compound the problem, and government ministers know nothing about how anything works.

15/10/2012 7:02:52 p.m.

Stop Paula Bennett wrote:

Many New Zealand politicians are technologically inept. They have no idea how information systems work. Outside being able to use email, facebook and twitter the average minister's understanding of information storage and retrieval systems is poor. These people haven't the capacity to imagine problems let alone set in place practical and reliable solutions to those problems. Paula Bennett's plan to create a database containing the details of at-risk children was the idea of other people who are similarly incapable of looking into the future and forecasting an information disaster. Life is tough enough for an at-risk child without being exposed to the additional risk of poorly run databases and virtual surveillance operations overseen by incompetent government ministers and administered by staff whose primary motive is to be paid rather than to care for others.

15/10/2012 6:05:24 p.m.

ivan wrote:

thats wat happens when all our highly skilled i.t guys leave nz

15/10/2012 5:04:42 p.m.

Kim wrote:

Well we should at least be happy that there was no ministeral involvement or we would NEVER get an inquiry

15/10/2012 4:52:09 p.m.

Wiseacre wrote:

This is the inevitable result of deep cuts to the public service. The Managers and Chief Executives getting paid exorbitant international *market rates* to oversee this probably received a bonus for the false economy of contracting out to the cheapest they could find. They get paid the megabucks to take responsibility for their departments, but it'll be the IT guys that get hung out to dry. For the National Government, responsibility is something only required of the poor. Heads need to roll, right at the top.

15/10/2012 2:51:52 p.m.

Al wrote:

This method of gaining access to files is over 10 years old, and is trivial. I've seen schoolkids use it to look at the principal's files. Instead of securing access properly using permissions, these slackers simply 'hid' them. No-one in the IT industry should let Key & Bennet get away with downplaying this because few would have the skills to exploit it. if you know how to open a file in MS word, you can exploit this. It is a huge deal & may well have allowed more skilled people to install backdoors into the system. It is not appropriate to blame either Labour or National for this breach existing, But the way it is handled from here on in will reflect on the current govt. Guarded responses, half remedies and little napoleons defending their empires are not appropriate here. There may well be LITERALLY lives at stake. Winz are likely to have addresses for people under the care of Women's refuge, and subject to protection orders under the domestic violence act.

15/10/2012 2:16:33 p.m.

pondering wrote:

Well the MSD did say they were going to share more private info on children. They just didn't say how far they would go