WINZ kiosks shut following major security flaw

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

Blogger Keith Ng able to access thousands of Ministry of Social Development files

By Fairfax NZ staff | Auckland | Monday, 15 October, 2012 | 20 Comments

The Ministry of Social Development shut down internet kiosks around the country and launched a ministry investigation last night, after blogger Keith Ng reported he was able to access thousands of files on the agency's servers from the kiosks in a Wellington WINZ office.

Ng says he used a WINZ kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.

However, Kay Brereton, from Beneficiary Advocacy Federation, this morning told Radio New Zealand the discovery was nothing new.

She said she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.

"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she said.

"We came out finding out ... that the people who were using the kiosks could actually get into Work and Income's information.

"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."

MSD statement
MSD deputy chief executive Marc Warner last night issued a statement saying: "a security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after".

He said the ministry had been alerted to the latest security flaw late yesterday and took immediate steps to secure the system.

"MSD is very concerned about this and an urgent investigation is underway."

Ng had stated he accessed client information through WINZ kiosks at two Wellington sites, Warner said.

"We have closed all kiosks in all sites across the country to ensure no further information can be accessed.

"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.

"We understand the maintenance of public confidence in our ability to protect people's information is vital.

"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.

Ng had given an assurance that he would pass all the information to the Privacy Commissioner this morning and had guaranteed that none of the information would be given to anyone else or placed in the public arena, Warner said.

In comments on Ng’s blog post, Thomas Beagle from the NZ Council for Civil Liberties points out that it is possible Ng may face legal action.

Beagle wrote that under the Crimes Act s252 (1), "Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system."

Political reaction

On the TVNZ Breakfast programme this morning Prime Minister John Key said Social Development Minister Paula Bennett is very concerned about the breach.

"We need to make sure that those systems are robust," Key said. "People are increasingly accessing information from the government electronically."

Labour's social development spokeswoman Jacinda Ardern this morning described the breach as "staggering".

Of particular concern was the information accessed included details of children in a high and complex needs unit and children in Child, Youth and Family safe houses, she said.

"This is an appalling breach of privacy and comes on top of serious security lapses at ACC and the IRD."

The breach also exposed a massive weakness with a proposal in Social Development Minister Paula Bennett's White Paper on Vulnerable Children, launched last week, to set up a database of at risk children, she said.

"It compromises the entire premise. It raises serious doubts about the Department’s ability to properly protect the highly sensitive information it holds, and while the compromised data is now in the hands of the Privacy Commissioner, the damage has been done."

Comments

Poor show! Blame the vendor? really? ... OIA the SOW and demonstrate where DD has failed to deliver.
Posted by Anonymous at 19:17:04 on October 15, 2012

Flag abuse

Poor show! nz herald reports that kpmg regularly audits the kiosks and found no risks. so is it dd or kpmg or someone else doing the audits?
Posted by kpmg? at 22:28:09 on October 15, 2012

Flag abuse

Dimension Data Ooops...

"The ministry's chief executive, Brendan Boyle, says it hired Dimension Data to test the security of the kiosks prior to Mr Ng's experience and reported no problems."

http://www.radionz.co.nz/news/national/118159/msd-calls-in-expert-over-security-breach
Posted by Hai at 15:18:40 on October 15, 2012

Flag abuse

Dimension Data "Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data's recommendations on security. I will look to the review to provide me with the answers,"
-Boyle
Posted by Anonymous at 11:04:55 on October 16, 2012

Flag abuse

Vital - in 2011 December 24th, 2011

A WINZ spokeswoman said they were not yet able to say how many breaches of privacy there had been but between the five staff already dismissed there were "many".

Ministry of Social Development senior officials scrambled to give assurances that its processes were safe yesterday.

After being approached for comment, Work and Income head Janet Grossman announced the national review saying it was "vital" for New Zealanders to have confidence in "the integrity of our staff and the welfare system".

"I'm conducting this review of the way staff handle client records because I want to confirm that these breaches are confined to this office."

Social Development Minister Paula Bennett labelled it an "operational matter" but said she was satisfied the "appropriate action" had been taken.

"The Department has made it very clear this kind of activity will not be tolerated."

http://www.stuff.co.nz/national/6187390/WINZ-staff-under-fire
Posted by Barney Magrew at 10:59:11 on October 15, 2012

Flag abuse

WINZ data access When a government seeks to trim the public service, tip-offs from dissatisfied employees to hackers such as Keith Ng are predictable. Junior Labour MP Jacinda Ardern is of course shocked, staggered, appalled and astounded.
Posted by jim young at 10:39:49 on October 15, 2012

Flag abuse

WINZ data access @Jim Young: Agreed. The government is destroying public service faster than they can built the new version. When you have your spy agency leaking to the opposition it is a very dangerous time and shows the depth of feeling runs very very deep.

@Therese: You are effectively saying that every New Zealander shouldn't need to lock their doors and have burglar alarms. Regardless of what you think, people will continue to rob houses and see how you get on with your insurance company under that scenario.

The reality is that WINZ should have safeguarded sensitive data. And they didn't. In fact, from what I have heard "hacking" in this case really was about as easy as walking into a house with no doors, or walls for that matter, on it.

Posted by Hai at 13:45:30 on October 15, 2012

Flag abuse

WINZ data access If this kind of crime cannot be prosecuted by law, then the law needs to be updated urgently to reflect the spirit of cooperation. It was probably written before hacking was a problem. It astonishes me how people find this kind of breach of public trust acceptable. If a child is left in unintentionally insecure premises, does this make it ok to sneak in and perve at him or her, or worse? How can it be said that this was not done for personal gain, political gain - even just raising one's profile - could be seen as a form of personal gain. This kind of behaviour is like a parasite and is very expensive (for the taxpayer) to fix. Two years in prison would not be enough!
Posted by Therese at 12:46:18 on October 15, 2012

Flag abuse

Amateurs!! Honestly, securing a Windows kiosk is Networking 101. It comes as an out of box machine security profile with Windows and Active Directory. Who were the muppets that built and tested this system?!
Posted by Anonymous at 10:38:25 on October 15, 2012

Flag abuse

Does anyone know ... Does anyone know who set up and adminsiters this system? Was it set up by MSD or sub-contracted to an IT company?
Posted by Anonymous at 10:34:34 on October 15, 2012

Flag abuse