NZ ministry knew of massive data breach

Chose not to act after informant sought cash reward.

Revelations that members of the public could access confidential documents from kiosks installed at a New Zealand government welfare agency has blown into a national scandal, with data from multiple agencies, corporations and citizens leaked.

As reported on iTnews earlier today, blogger Keith Ng was able to gain access to highly sensitive information - including invoices and personal contact data - from self-service kiosks installed by the New Zealand Work and Income welfare agency.

The data included invoices issued to the Ministry that featured information about children in state care.

The self-service kiosks were installed by the New Zealand Work and Income welfare agency just over a year ago as part of a staff reduction program and to provide jobseekers internet access to apply for jobs online.

Today it has been revealed that the anonymous source that tipped off journalists about the vulnerability had approached the Ministry last week, seeking a financial reward.

Ng speaks

iTnews spoke to the Wellington-based blogger, Keith Ng, who first broke the news about the massive privacy breach after being tipped off last Tuesday.

His source claimed to have been aware of the breach for a number of days and had also alerted the Ministry last week, seeking a financial reward.

Ng told iTnews he was unsure how well-known the issue was and whether it has already been exploited.

“It’s not something you would stumble upon [by accident],” Ng said.

"You need to sit there for around half an hour to work out what’s happening and to navigate the system," Ng said.

The kiosks, which run an old version of Windows, 2000 or XP, had some protections in place to prevent unauthorised access.

“You can’t click on things and can’t open Explorer (the Windows built-in file management tool),” Ng said.

However, the security restrictions were easily bypassed as the kiosks run a full version of Microsoft’s Office Productivity suite, including applications such as Excel and Word, Ng said.

“By using the Open File dialog, you had access to the applications’ file manager and could read files that way, as well as copy and move them,” Ng said.

Ng says the kiosks were Internet-connected with browsers that provided access to webmail, meaning confidential files could have easily been sent in that manner. The kiosks also featured USB access.

The biggest problem Ng faced in accessing the data was the slow network performance at WINZ.

“It took two and a half hours to copy 400Mbyte of data [to USB],” he said.

Ng stressed that he no longer possesses that data, after being advised by the Privacy Commissioner’s office to delete it. He also pointed out that files visible on the network via the kiosks are invoices and not social welfare records.

Even so, the invoices contained a great amount of identifying details about welfare clients. In fact, it was not even necessary in many cases to view the invoices to glean details of welfare clients. The file names visible on the network were long and descriptive, he said.

Ng also revealed that because MSD was handling the payment of invoices for the Canterbury Earthquake Recovery Authority (CERA), invoices for that government agency were also visible via the kiosks on a shared network drive.

This may take the breach beyond an issue of personal privacy and into the realm of commercial confidentiality, should information relating to ministry contractors be leaked.

Fairfax News reported that the minister for earthquake recovery, Gerry Brownlee, has confirmed that CERA information was shared with the MSD and may have been available to people using the kiosks.

Minister "mortified"

At a media conference in Wellington today, the cabinet minister for social development and employment, Paula Bennett, labelled the privacy breach as “completely and utterly unacceptable.”

“Significant mistakes were made,” Bennett said. A review of the MSD’s information systems will be held, with reference terms to be published as soon as possible.

Bennett apologised to the New Zealand public for the breach and said she was "mortified".

The chief executive of MSD, Brendan Boyle said at the same conference that the breach “is embarrassing” and that he would do everything to make sure it doesn’t happen again.

He also said that the MSD was alerted to the issue last week by an informant who told the ministry that he was working with a journalist.

The informant “was quite vague” and sought a reward for providing the information. Boyle said this was something the MSD would not offer.

Boyle said the ministry did not take action because the informant did not provide any further details.

The informant is thought to be the same person that tipped off Ng.

Ng told iTnews his source had access to the data as well, but assured him that it had been deleted. He wasnot aware of any one else with access to the data.

DiData implicated

The kiosks were built internally by the MSD and deployed by the Ministry with the help of systems integrators Dimension Data.

Boyle says the kiosks were for the public to use, and that no logins were required. He is checking if there is an audit trail that could reveal how much information has been leaked.

Boyle says that Dimension Data conducted security tests on the kiosks, but found no problems.

“I am grateful to Mr Ng for cooperating and keeping the information secure, handing it to the Privacy Commissioner," he said.

Boyle said that while it is "too soon to say", it is “certainly not my intention” to prosecute Ng for unauthorised computer access, which is illegal under NZ computer crimes legislation.

The New Zealand assistant privacy commissioner Katrine Evans said her office is very concerned about the breach and has already launched an investigation.