iTnews

Blogger finds NZ ministry network wide open

By Juha Saarinen on Oct 15, 2012 6:05AM
Blogger finds NZ ministry network wide open

Massive privacy breach.

A high profile blogger acting on a tip off has discovered that anyone can access the New Zealand Ministry of Social Development's (MSD) internal network via computer self-service kiosks set up  in 'Work and Income' offices around the country.

Writing on Public Address, Keith Ng says he was able to read and modify any unsecured document on the MSD network by simply using the Open File dialog in Microsoft Office, which is installed on the kiosks. The kiosks were set up to assist jobseekers to find work online and to mail curriculum vitaes to employers.

Microsoft Office Open File dialog in WINZ kiosks

Ng was able to access highly sensitive information with personal details. This included 3,500 invoices from MSD contractors, doctors and medical specialists and media trainers. He could also see details of debt collection and fraud investigation matters.

According to Ng, it was possible see names and birth dates of children in state care on invoices, and in some cases, the schools they attend. Invoices for medications prescribed to children in state facilities, again listing their names, were also freely accessible.

Ng also found the addresses of the facilities and care homes for children.

By exposing the vulnerabilities, experts have warned Ng may be at risk of prosecution.

Last night, the deputy chief director of the MSD, Marc Warner, said the kiosks have been closed down. They had been deployed nationwide for over a year.

"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts," Warner told the NZ Herald.

This morning, Prime Minister John Key told TVNZ News that the privacy breach at the MSD is "a failure" and "a huge problem."

"At the end of the day people are increasingly accessing information from the Government electronically. We live in a digital age and we have to make sure that those systems are robust and clearly there's a failure here and we just have to work out what's caused it," PM Key said.

Key tried to downplay the privacy breach, saying it wasn't easy to find the information and that you had to go and look for it on the MSD network.

Opposition Labour MP Jacinda Ardern called the privacy breach "appalling" and "astounding" and said it comes hard on the heels of serious security lapses at the Accident Compensation Corporation, New Zealand's public insurer, and the Inland Revenue Department.

Ardern says the breach raises serious doubts about the MSD's ability to properly protect the highly sensitive information it holds.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
governmentinfosecmsdnzprivacysecurity

Partner Content

The case for postponing mainframe migration has eroded
Partner Content The case for postponing mainframe migration has eroded
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone
Tick off the ransomware bandits
Promoted Content Tick off the ransomware bandits

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Oct 15 2012
6:05AM
0 Comments

Related Articles

  • AWS, Telstra, L'Oreal Australia line up against cyber security director liability plan
  • India mandates data breach notification within six hours
  • Videoconferencing apps can access muted mics
  • Tasmanians to get a single government identifier
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform
Telstra to open its 5G network to wholesale customers

Telstra to open its 5G network to wholesale customers
Macquarie Bank creates a broker portal on Salesforce

Macquarie Bank creates a broker portal on Salesforce
Active Directory defaults lead to no-fix PrivEsc vulnerability

Active Directory defaults lead to no-fix PrivEsc vulnerability

Digital Nation

COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.