WINZ kiosk warnings may have been ignored: MSD

Dimension Data's recommendations in a report filed in April 2011 may not have been taken onboard says MSD CEO

The Ministry of Social Development's CEO Brendan Boyle says the ministry may not have taken the necessary steps to fix security flaws with its kiosk system, even though it was made aware of them early last year.

“We received a report from Dimension Data in April 2011, which identified flaws in our system," says Boyle.

"Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security."

Boyle says the MSD has retained Deloittes to investigate the security flaws with the kiosks, and then to carry out an audit of the ministry's security system and policies.

“Our immediate aim is to resolve any security problems and restore public confidence in our systems,” says Boyle.

Computerworld has asked for the Ministry to clarify the cost to tax payers of Deloitte's investigation.

CERA also affected

The Canterbury Earthquake Recovery Authority (CERA) says some of its corporate information was accessible through WINZ’s self-help computer kiosks.

In a statement released yesterday evening, CERA says it had been advised by the Ministry of Social Development that scanned invoices were accessible from its kiosks.

CERA acting CEO Warwick Isaacs says this includes invoices paid to suppliers, and dates between December 2011 and last week.

Isaacs says CERA will be advising its creditors where potential breaches may have occurred, but it is not known if any information was viewed.

CERA says invoices regarding Christchurch CBD demolitions, Red Zone settlements and property owner details are stored outside of the MSD system, and have not been accessed.

Yesterday computer forensics expert Daniel Ayers suggested that CERA and MSD shared some IT infrastructure.

MSD’s kiosk system is used by WINZ clients to search for jobs and send out CVs. Last weekend it was revealed by the Public Address blog that potentially sensitive files were available to the public

Blogger names source
Public Address blogger Keith Ng, who originally broke the story, has since written that the source who originally tipped him off was Ira Bailey - a system administrator, who was one of the Urewera 17.

Ng says Bailey originally went to the ministry with his information, and asked if there was a vulnerability report reward like that offered by some private companies such as Google.

When Bailey did not hear back from the ministry he went to Ng with the information.

Indications are the ministry will not charge Ng for taking home files from the kiosks, but charges against Bailey have not been ruled out.