A high profile blogger acting on a tip off has discovered that anyone can access the New Zealand Ministry of Social Development's (MSD) internal network via computer self-service kiosks set up in 'Work and Income' offices around the country.
Writing on Public Address, Keith Ng says he was able to read and modify any unsecured document on the MSD network by simply using the Open File dialog in Microsoft Office, which is installed on the kiosks. The kiosks were set up to assist jobseekers to find work online and to mail curriculum vitaes to employers.
Ng was able to access highly sensitive information with personal details. This included 3,500 invoices from MSD contractors, doctors and medical specialists and media trainers. He could also see details of debt collection and fraud investigation matters.
According to Ng, it was possible see names and birth dates of children in state care on invoices, and in some cases, the schools they attend. Invoices for medications prescribed to children in state facilities, again listing their names, were also freely accessible.
Ng also found the addresses of the facilities and care homes for children.
By exposing the vulnerabilities, experts have warned Ng may be at risk of prosecution.
Last night, the deputy chief director of the MSD, Marc Warner, said the kiosks have been closed down. They had been deployed nationwide for over a year.
"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts," Warner told the NZ Herald.
This morning, Prime Minister John Key told TVNZ News that the privacy breach at the MSD is "a failure" and "a huge problem."
"At the end of the day people are increasingly accessing information from the Government electronically. We live in a digital age and we have to make sure that those systems are robust and clearly there's a failure here and we just have to work out what's caused it," PM Key said.
Key tried to downplay the privacy breach, saying it wasn't easy to find the information and that you had to go and look for it on the MSD network.
Opposition Labour MP Jacinda Ardern called the privacy breach "appalling" and "astounding" and said it comes hard on the heels of serious security lapses at the Accident Compensation Corporation, New Zealand's public insurer, and the Inland Revenue Department.
Ardern says the breach raises serious doubts about the MSD's ability to properly protect the highly sensitive information it holds.
