'Staggering' security lapse at WINZ

Email
Print

WINZ told of security flaw ‘a year ago’

3News NZ

Several thousand private files were accessible (file pic)

Several thousand private files were accessible (file pic)

By 3 News online staff

There's been a major privacy breach at the Ministry of Social Development.

The ministry has closed computer kiosks at Work and Income offices after blogger and freelance journalist Keith Ng was able to access thousands of personal files, including details of at-risk children, adoption, foster parents and people owing money to the ministry.

Mr Ng says he used publicly accessible WINZ kiosks at two different locations in Wellington, and was able to access several thousand files.

"These locked-down kiosks are provided so you could look for jobs online, send off CVs etc," he writes on his blog.

"They’ve had some basic features disabled, which supposedly meant that you couldn’t just open up File Manager and poke around the machine. However, by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file."

Mr Ng was able to access details about:

  • Contractors' names, pay details and hours worked;
  • Clients' medical details, including prescriptions and bills;
  • Names of people under investigation for benefit fraud;
  • Names, dates of birth and school details for children in foster and CYF care;
  • Phone bills and addresses for CYF homes and facilities;
  • All of the ministry's legal bills;
  • Details of a suicide attempt;
  • Configurations for virtual machines and passwords stored in plain text.

Mr Ng says he sorted through 3500 invoices – " about half of what I obtained, and what I obtained was about a quarter of what was accessible".

"There are probably more outrageous things still on that server, and there probably other servers that I’ve completely missed," he writes. "But I’m done for now."

The ministry says it is "very concerned" about the data leak.

"A security issue was raised with us during the establishment phase for these kiosks," says deputy chief executive Marc Warner. "We have closed all kiosks in all sites across the country to ensure no further information can be accessed.

"They will not be reopened unless, and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.''

Mr Ng says he has informed the privacy commissioner, and will not be releasing any of the data himself.

Looking at the architecture of the network, or how they've put together the network, they've fundamentally got it wrong," says Paul Matthews of the Institute of IT Professionals.

"This wasn't an elaborate hack, it wasn't sneaking around through back doors. These systems were wide open."

The incident follows other privacy breaches this year at the ACC, IRD and NZTA.

Mr Matthews says the law needs to change so departments have to notify the public when breaches occur.

"In this case, Keith's come out publicly and disclosed what's happened," says Mr Matthews. "What we don't know is how often this sort of thing occurs and it's not made public, people's information is released and we don't know about it. People who have had their information leaked aren't aware of it."

CRITICISM COMES SWIFTLY

Labour's social development spokesperson Jacinda Ardern said it was a "staggering" security lapse.

"There are vulnerable kids involved here, right at the time when [Social Development Minister Paula Bennett) is proposing a new database and greater information sharing," she told the New Zealand Herald.

"The minister is going to have to not only rebuild security into the system, but restore people's confidence in it."

Green Party co-leader Metiria Turei says the leak is "symptomatic of a ministry with a low regard for client privacy".

“The Ministry of Social Development has repeated ACC’s privacy breach debacle, with details including housing and pharmacy records of children in CYFS care being publicly available via self-service kiosks at Work and Income branches across the country.

“While ACC is learning from its mistakes, Paula Bennett has refused to rule out personally releasing the private details of beneficiaries who criticise her policies in the future.

“Given the poor example set by their minister, it is hard to see how the Ministry of Social Development can improve their practices with regards to client privacy.

MSD WARNED ABOUT FLAW LAST YEAR

A beneficiary advocate says the ministry was advised of the flaw more than a year ago.

"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she told Radio New Zealand this morning.

"We came out finding out ... that the people who were using the kiosks could actually get into Work and Income's information.

"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed.

"It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."

MINISTER "VERY CONCERNED"

Prime Minister John Key this morning said Ms Bennett was "very concerned" about the breach.

"At the end of the day people are increasingly accessing information from the Government electronically - we live in a digital age and we have to make sure that those systems are robust and clearly there's a failure here and we just have to work out what's caused it," he told TVNZ.

NG COULD FACE LEGAL ACTION

Lawyer Thomas Beagle, founder of organisation Tech Liberty, suggests Mr Ng may have broken the law in accessing the files.

"I was surprised at how far Keith went into their systems after establishing that there were major security holes," Mr Beagle told The National Business Review.

"He said in his article, 'I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible.'

"That implies that he wasn't just looking at what was available, but was actually analysing/reading it and possibly even taking copies away… 'White hat hacking is normally about proof that a system can be penetrated, not exploiting the holes that you can find."

Mr Ng says he did take files from the network, in order to analyse just what he had found.

Intellectual property lawyer John Edwards said Mr Ng had a defence, and there would be nothing to gain from prosecuting him.

"He didn't make any personal gain," says Mr Edwards. "He secured the information, and turned it over to the appropriate authorities."

Mr Ng, a freelance journalist, regularly asks for donations in order to fund his work. He told the NBR he hadn't sought legal advice before accessing the network, but has since.

"The kiosk was available to members of the public," says Mr Ng. "But I did get legal advice once I figured out what I found, and I talked to the privacy commissioner prior to publication." 

Online law specialist Rick Shera says as the kiosk Mr Ng used to access the network was open to the public, he had authorisation to use it.

"Keith or anyone else was 'authorised' to access that computer system," says Mr SHera. "Once in, one could commit other offences of course… but having gained authorised access, an unauthorised access allegation is a dead duck."

3 News

Post a Comment

Before commenting, please take the time to read our moderation guide


(Won't be published)



Comments

17/10/2012 9:34:17 a.m.

Billy wrote:

@frank, your analogy is quite wrong - Rather, in your context, it's more like two shoppers have found food on the shelf with a "zero" price tag, so they go through checkout getting it for free - then they tell the media the shops price system is faulty. I'm sure the information has been disposed of and not used in any way other than to hi-light faults.

16/10/2012 6:31:34 p.m.

frank wrote:

I see nobody has mentioned the two men who stole the information. Lets face it, if you go into the supermarket and pick up some of the food that is on the shelf and don't pay for it ,you will get charged with theft, likewise these two men should get charged with theft of confidential files

16/10/2012 11:27:58 a.m.

Jimmy wrote:

The word "failure" has been used a lot lately by Mr Key. It’s ironic that his and Nationals policies that encourage the "brain drain" are the underlying causes of these systemic incompetency’s and failures throughout his departments!

16/10/2012 6:47:16 a.m.

Ruz wrote:

The CEO of MSD says that the buck stops with him. Which means in the context of the NZ public service that somebody other than he will lose their job.

15/10/2012 8:55:17 p.m.

Lou wrote:

Paula Bennett has already over spent her budget by millions and millions. What has she actually spent it on? She needs to be educated. Morons

15/10/2012 5:39:26 p.m.

Martin wrote:

The IT setup has to have been done by a friend of a friend thats good with computers and stuff for this to happen. JR Murphy is right about the kiosks and no privacy. Real budget job just like operating Kiwibank out of Post shops with their open top paper wall offices. People keep slagging off the current government but they do not run the system, and have also inherited everything from Labour.

15/10/2012 4:06:33 p.m.

Kathy wrote:

Yet again another indication that National Party ministers are completely incompetent and inept at their jobs. Just another indication also that no national Party ministers are providing oversight to their portfolios.

15/10/2012 2:45:16 p.m.

Gary wrote:

Paula Bennett MUST be stood down by JK for this total Balls up! If he does not then it just proves how messed up and pathetic this National government really are. But having said that we are then asking JK - proven liar or potential Alzheimer's patient to stand up and do the right thing for the people of NZ - Not a good situation at all for the nation. When can we get rid of this absolute rabble of trash we have running our country? They are destroying NZ one cock up at a time.

15/10/2012 1:49:25 p.m.

Al wrote:

Very concerning for those who may be in hiding from an abusive ex-partner. Very concerning when you consider someone could plug a WiFi router into the Winz network (there are jacks in public areas) and sit across the road browsing Very concerning that access wasn't just gained, but there is likely no audit trail of previous unauthorised access. Hugely concerning that MS word, Publisher etc have been known to expose drives and shares otherwise 'hidden' for over 10 years. There are settings to disable this, and anyone who doesn't know about them has no business being in I.T Staggering that someone thought hiding shares equates to securing them, it does not, setting proper file permissions does. Extremely incomptetent and/or lazy

15/10/2012 1:22:22 p.m.

Jasper wrote:

A subtle threat to beneficiaries .... now that your personal informations in the public area. You can now be outed and not know how.