By 3 News online staff
There's been a major privacy breach at the Ministry of Social Development.
The ministry has closed computer kiosks at Work and Income offices after blogger and freelance journalist Keith Ng was able to access thousands of personal files, including details of at-risk children, adoption, foster parents and people owing money to the ministry.
Mr Ng says he used publicly accessible WINZ kiosks at two different locations in Wellington, and was able to access several thousand files.
"These locked-down kiosks are provided so you could look for jobs online, send off CVs etc," he writes on his blog.
"They’ve had some basic features disabled, which supposedly meant that you couldn’t just open up File Manager and poke around the machine. However, by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file."
Mr Ng was able to access details about:
- Contractors' names, pay details and hours worked;
- Clients' medical details, including prescriptions and bills;
- Names of people under investigation for benefit fraud;
- Names, dates of birth and school details for children in foster and CYF care;
- Phone bills and addresses for CYF homes and facilities;
- All of the ministry's legal bills;
- Details of a suicide attempt;
- Configurations for virtual machines and passwords stored in plain text.
Mr Ng says he sorted through 3500 invoices – " about half of what I obtained, and what I obtained was about a quarter of what was accessible".
"There are probably more outrageous things still on that server, and there probably other servers that I’ve completely missed," he writes. "But I’m done for now."
The ministry says it is "very concerned" about the data leak.
"A security issue was raised with us during the establishment phase for these kiosks," says deputy chief executive Marc Warner. "We have closed all kiosks in all sites across the country to ensure no further information can be accessed.
"They will not be reopened unless, and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.''
Mr Ng says he has informed the privacy commissioner, and will not be releasing any of the data himself.
Looking at the architecture of the network, or how they've put together the network, they've fundamentally got it wrong," says Paul Matthews of the Institute of IT Professionals.
"This wasn't an elaborate hack, it wasn't sneaking around through back doors. These systems were wide open."
The incident follows other privacy breaches this year at the ACC, IRD and NZTA.
Mr Matthews says the law needs to change so departments have to notify the public when breaches occur.
"In this case, Keith's come out publicly and disclosed what's happened," says Mr Matthews. "What we don't know is how often this sort of thing occurs and it's not made public, people's information is released and we don't know about it. People who have had their information leaked aren't aware of it."
CRITICISM COMES SWIFTLY
Labour's social development spokesperson Jacinda Ardern said it was a "staggering" security lapse.
"There are vulnerable kids involved here, right at the time when [Social Development Minister Paula Bennett) is proposing a new database and greater information sharing," she told the New Zealand Herald.
"The minister is going to have to not only rebuild security into the system, but restore people's confidence in it."
Green Party co-leader Metiria Turei says the leak is "symptomatic of a ministry with a low regard for client privacy".
“The Ministry of Social Development has repeated ACC’s privacy breach debacle, with details including housing and pharmacy records of children in CYFS care being publicly available via self-service kiosks at Work and Income branches across the country.
“While ACC is learning from its mistakes, Paula Bennett has refused to rule out personally releasing the private details of beneficiaries who criticise her policies in the future.
“Given the poor example set by their minister, it is hard to see how the Ministry of Social Development can improve their practices with regards to client privacy.
MSD WARNED ABOUT FLAW LAST YEAR
A beneficiary advocate says the ministry was advised of the flaw more than a year ago.
"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she told Radio New Zealand this morning.
"We came out finding out ... that the people who were using the kiosks could actually get into Work and Income's information.
"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed.
"It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."
MINISTER "VERY CONCERNED"
Prime Minister John Key this morning said Ms Bennett was "very concerned" about the breach.
"At the end of the day people are increasingly accessing information from the Government electronically - we live in a digital age and we have to make sure that those systems are robust and clearly there's a failure here and we just have to work out what's caused it," he told TVNZ.
NG COULD FACE LEGAL ACTION
Lawyer Thomas Beagle, founder of organisation Tech Liberty, suggests Mr Ng may have broken the law in accessing the files.
"I was surprised at how far Keith went into their systems after establishing that there were major security holes," Mr Beagle told The National Business Review.
"He said in his article, 'I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible.'
"That implies that he wasn't just looking at what was available, but was actually analysing/reading it and possibly even taking copies away… 'White hat hacking is normally about proof that a system can be penetrated, not exploiting the holes that you can find."
Mr Ng says he did take files from the network, in order to analyse just what he had found.
Intellectual property lawyer John Edwards said Mr Ng had a defence, and there would be nothing to gain from prosecuting him.
"He didn't make any personal gain," says Mr Edwards. "He secured the information, and turned it over to the appropriate authorities."
Mr Ng, a freelance journalist, regularly asks for donations in order to fund his work. He told the NBR he hadn't sought legal advice before accessing the network, but has since.
"The kiosk was available to members of the public," says Mr Ng. "But I did get legal advice once I figured out what I found, and I talked to the privacy commissioner prior to publication."
Online law specialist Rick Shera says as the kiosk Mr Ng used to access the network was open to the public, he had authorisation to use it.
"Keith or anyone else was 'authorised' to access that computer system," says Mr SHera. "Once in, one could commit other offences of course… but having gained authorised access, an unauthorised access allegation is a dead duck."
3 News
source: newshub archive
