NZ ministry knew of massive data breach

Powered by SC Magazine
 

Chose not to act after informant sought cash reward.

Revelations that members of the public could access confidential documents from kiosks installed at a New Zealand government welfare agency has blown into a national scandal, with data from multiple agencies, corporations and citizens leaked.

As reported on iTnews earlier today, blogger Keith Ng was able to gain access to highly sensitive information - including invoices and personal contact data - from self-service kiosks installed by the New Zealand Work and Income welfare agency.

The data included invoices issued to the Ministry that featured information about children in state care.

The self-service kiosks were installed by the New Zealand Work and Income welfare agency just over a year ago as part of a staff reduction program and to provide jobseekers internet access to apply for jobs online.

Today it has been revealed that the anonymous source that tipped off journalists about the vulnerability had approached the Ministry last week, seeking a financial reward.

Ng speaks

iTnews spoke to the Wellington-based blogger, Keith Ng, who first broke the news about the massive privacy breach after being tipped off last Tuesday.

His source claimed to have been aware of the breach for a number of days and had also alerted the Ministry last week, seeking a financial reward.

Ng told iTnews he was unsure how well-known the issue was and whether it has already been exploited.

“It’s not something you would stumble upon [by accident],” Ng said.

"You need to sit there for around half an hour to work out what’s happening and to navigate the system," Ng said.

The kiosks, which run an old version of Windows, 2000 or XP, had some protections in place to prevent unauthorised access.

“You can’t click on things and can’t open Explorer (the Windows built-in file management tool),” Ng said.

However, the security restrictions were easily bypassed as the kiosks run a full version of Microsoft’s Office Productivity suite, including applications such as Excel and Word, Ng said.

“By using the Open File dialog, you had access to the applications’ file manager and could read files that way, as well as copy and move them,” Ng said.

Ng says the kiosks were Internet-connected with browsers that provided access to webmail, meaning confidential files could have easily been sent in that manner. The kiosks also featured USB access.

The biggest problem Ng faced in accessing the data was the slow network performance at WINZ.

“It took two and a half hours to copy 400Mbyte of data [to USB],” he said.

Ng stressed that he no longer possesses that data, after being advised by the Privacy Commissioner’s office to delete it. He also pointed out that files visible on the network via the kiosks are invoices and not social welfare records.

Even so, the invoices contained a great amount of identifying details about welfare clients. In fact, it was not even necessary in many cases to view the invoices to glean details of welfare clients. The file names visible on the network were long and descriptive, he said.

Ng also revealed that because MSD was handling the payment of invoices for the Canterbury Earthquake Recovery Authority (CERA), invoices for that government agency were also visible via the kiosks on a shared network drive.

This may take the breach beyond an issue of personal privacy and into the realm of commercial confidentiality, should information relating to ministry contractors be leaked.

Fairfax News reported that the minister for earthquake recovery, Gerry Brownlee, has confirmed that CERA information was shared with the MSD and may have been available to people using the kiosks.

Minister "mortified"

At a media conference in Wellington today, the cabinet minister for social development and employment, Paula Bennett, labelled the privacy breach as “completely and utterly unacceptable.”

“Significant mistakes were made,” Bennett said. A review of the MSD’s information systems will be held, with reference terms to be published as soon as possible.

Bennett apologised to the New Zealand public for the breach and said she was "mortified".

The chief executive of MSD, Brendan Boyle said at the same conference that the breach “is embarrassing” and that he would do everything to make sure it doesn’t happen again.

He also said that the MSD was alerted to the issue last week by an informant who told the ministry that he was working with a journalist.

The informant “was quite vague” and sought a reward for providing the information. Boyle said this was something the MSD would not offer.

Boyle said the ministry did not take action because the informant did not provide any further details.

The informant is thought to be the same person that tipped off Ng.

Ng told iTnews his source had access to the data as well, but assured him that it had been deleted. He wasnot aware of any one else with access to the data.

DiData implicated

The kiosks were built internally by the MSD and deployed by the Ministry with the help of systems integrators Dimension Data.

Boyle says the kiosks were for the public to use, and that no logins were required. He is checking if there is an audit trail that could reveal how much information has been leaked.

Boyle says that Dimension Data conducted security tests on the kiosks, but found no problems.

“I am grateful to Mr Ng for cooperating and keeping the information secure, handing it to the Privacy Commissioner," he said.

Boyle said that while it is "too soon to say", it is “certainly not my intention” to prosecute Ng for unauthorised computer access, which is illegal under NZ computer crimes legislation.

The New Zealand assistant privacy commissioner Katrine Evans said her office is very concerned about the breach and has already launched an investigation.

Copyright © iTnews.com.au . All rights reserved.


NZ ministry knew of massive data breach
Paula Bennett, NZ minister for social development and employment.
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Paula Bennett, NZ minister for social development and employment.
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1455

Vote