Posts
Prime
Minister John Key called the security breach around sensitive
computer files held by the Ministry of Social Development a
"failure''and a "huge problem''.
15
October, 2012
Computer
kiosks at Work and Income branches have been shut down after a
blogger found they gave him access to private records, including
vulnerable children's care home addresses and medical prescriptions.
This
morning a beneficiary advocate has claimed the Ministry of Social
Development was made aware of the flaw in its computer servers more
than a year ago.
MSD
deputy chief executive Marc Warner said last night an urgent
investigation had started.
"We
have closed all kiosks in all sites across the country to ensure no
further information can be accessed," he said in a statement.
"They
will not be re-opened unless and until we can guarantee they are
completely secure and we have obtained independent assurance from
security experts."
Keith
Ng, who blogs on publicaddress.net, wrote in a post at 10pm last
night that he had followed up on a tip-off about the security lapse
last week.
He
had gone to two Wellington offices and found anyone could open
private files through public computer kiosks.
What
information was exposed?
Mr
Ng said data exposed to public view included:
*
Names of candidates for adoptions and foster parents
*
Debt collectors' invoices, which listed the names of clients who owed
money
*
Names of children living in Child, Youth and Family care homes
*
Addresses of the care homes
*
Names of children and their medical prescriptions on pharmacy
invoices
*
Names of investigators and clients in fraud investigations
"This
stuff was all a few clicks away at any Winz kiosk, anywhere in the
country," Mr Ng said on his blog post.
"The
privacy breach is massive, and the safety of vulnerable children was
put at risk."
Also
among the thousands of documents Mr Ng accessed were contractors'
invoices, legal bills, medical reports and an invoice from a
community group that had given support to a family after a suicide
attempt. It listed the person's name.
'There
is a failure here' - Prime Minister
John
Key said on TVNZ's Breakfast he had spoken with Social Development
Minister Paula Bennett this morning about the breach.
"Like
everybody, she's very concerned,'' he said.
"At
the end of the day people are increasingly accessing information from
the Government electronically - we live in a digital age and we have
to make sure that those systems are robust and clearly there's a
failure here and we just have to work out what's caused it.
"They
have closed down those self-serve, self-kiosk computer terminals
until they can find out exactly what's gone wrong and why.
"Clearly
there is a failure here.''
Mr
Key believed it wasn't easy for the files to be accessed - he said
"you had to go looking for them''.
MSD
knew a year ago - advocate
Beneficiary
Advocacy Federation spokeswoman Kay Brereton told Radio New Zealand
this morning she and her colleagues told MSD about the problem over a
year ago.
"It
wasn't that long after the kiosks were introduced I went with my
colleagues and had a bit of a play on the kiosks and had a bit of a
look at what they could do, and one of the guys that was with us
found that you could get back into the MSD system.
"We
thought that the best thing to do was to tell MSD. We went in there
worried that the kiosks might give information from the people that
were using them but we came out finding that it was the other way
around, that the people who were using the kiosks could actually get
into Work and Income's information.''
She
said they informed the MSD national office about the problem, and she
presumed it would have been sorted out.
"It
just undermines people's faith in being able to do business with the
Government and having their privacy respected. I'm pretty shocked -
I'm really shocked - and I think that some of those people whose
information it is are going to be very, very angry.''
Labour:
'Astounding breach'
Labour
MP Jacinda Ardern described the breach as 'appalling' and said it
comes on top of serious security lapses at ACC and the IRD.
She
says the creation of a shared database to monitor vulnerable children
- central to a white paper released by Social Development Minister
Paula Bennett last week - now needs to be looked at.
"It
raises serious doubts about the Department's ability to properly
protect the highly sensitive information it holds, and while the
compromised data is now in the hands of the Privacy Commissioner, the
damage has been done.
Ms
Ardern disagreed with Prime Minister John Key that the information
wasn't easily accessible, saying it was just a few clicks away.
MSD:
Guarantee information will not be shared
Mr
Warner said Mr Ng had guaranteed none of the information he saw would
be given to anyone else or placed in the public arena.
But
it was not clear last night how long the information had been exposed
to the public and how many people might have accessed it.
Commenters
online said the public kiosks were only the tip of the iceberg.
There
had been a fundamental lack of security - the files and servers were
apparently wide open to anyone within the ministry's internal
network.
The
ministry said the system had already been rebuilt once after a
security issue was raised during the establishment of the kiosks.
"We
understand the maintenance of public confidence in our ability to
protect people's information is vital," Mr Warner said.
"I
want to give the public an assurance that we are doing everything
possible to fix this and our people have been working overnight."
Here
is Keith Ng's account of how he accessed the information.
MSD's
Leaky Servers
14
October, 2012
My
jeans were torn, my hoodie was pretty ragged, and I hadn’t shaved
for a week. It turned out that bloggers are remarkably good at
disguising themselves as unemployed, without even trying.
Last
week, I got tipped-off that the parts of the MSD network were
completely exposed to the public. You could go into any WINZ office
and use their self-service kiosks to access their corporate network.
These
locked-down kiosks are provided so you could look for jobs online,
send off CVs etc. They’ve had some basic features disabled, which
supposedly meant that you couldn’t just open up File Manager and
poke around the machine. However, by just using the Open File
dialogue in Microsoft Office, you could map any unsecured computer on
the network, and then open up any accessible file.....
For
the rest of Keith Ng's account GO
HERE
Here
is discussion of the issue on Radio NZ this morning
No comments:
Post a Comment
Note: only a member of this blog may post a comment.