WINZ kiosks shut following major security flaw
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
The Ministry of Social Development shut down internet kiosks around the country and launched a ministry investigation last night, after blogger Keith Ng reported he was able to access thousands of files on the agency's servers from the kiosks in a Wellington WINZ office.
Ng says he used a WINZ kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.
However, Kay Brereton, from Beneficiary Advocacy Federation, this morning told Radio New Zealand the discovery was nothing new.
She said she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.
"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she said.
"We came out finding out ... that the people who were using the kiosks could actually get into Work and Income's information.
"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."
MSD deputy chief executive Marc Warner last night issued a statement saying: "a security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after".
He said the ministry had been alerted to the latest security flaw late yesterday and took immediate steps to secure the system.
"MSD is very concerned about this and an urgent investigation is underway."
Ng had stated he accessed client information through WINZ kiosks at two Wellington sites, Warner said.
"We have closed all kiosks in all sites across the country to ensure no further information can be accessed.
"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.
"We understand the maintenance of public confidence in our ability to protect people's information is vital.
"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.
Ng had given an assurance that he would pass all the information to the Privacy Commissioner this morning and had guaranteed that none of the information would be given to anyone else or placed in the public arena, Warner said.
In comments on Ng’s blog post, Thomas Beagle from the NZ Council for Civil Liberties points out that it is possible Ng may face legal action.
Beagle wrote that under the Crimes Act s252 (1), "Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system."
On the TVNZ Breakfast programme this morning Prime Minister John Key said Social Development Minister Paula Bennett is very concerned about the breach.
"We need to make sure that those systems are robust," Key said. "People are increasingly accessing information from the government electronically."
Labour's social development spokeswoman Jacinda Ardern this morning described the breach as "staggering".
Of particular concern was the information accessed included details of children in a high and complex needs unit and children in Child, Youth and Family safe houses, she said.
"This is an appalling breach of privacy and comes on top of serious security lapses at ACC and the IRD."
The breach also exposed a massive weakness with a proposal in Social Development Minister Paula Bennett's White Paper on Vulnerable Children, launched last week, to set up a database of at risk children, she said.
"It compromises the entire premise. It raises serious doubts about the Department’s ability to properly protect the highly sensitive information it holds, and while the compromised data is now in the hands of the Privacy Commissioner, the damage has been done."
Posted by Anonymous at 19:17:04 on October 15, 2012
Posted by kpmg? at 22:28:09 on October 15, 2012
"The ministry's chief executive, Brendan Boyle, says it hired Dimension Data to test the security of the kiosks prior to Mr Ng's experience and reported no problems."
Posted by Hai at 15:18:40 on October 15, 2012
Posted by Anonymous at 11:04:55 on October 16, 2012
A WINZ spokeswoman said they were not yet able to say how many breaches of privacy there had been but between the five staff already dismissed there were "many".
Ministry of Social Development senior officials scrambled to give assurances that its processes were safe yesterday.
After being approached for comment, Work and Income head Janet Grossman announced the national review saying it was "vital" for New Zealanders to have confidence in "the integrity of our staff and the welfare system".
"I'm conducting this review of the way staff handle client records because I want to confirm that these breaches are confined to this office."
Social Development Minister Paula Bennett labelled it an "operational matter" but said she was satisfied the "appropriate action" had been taken.
"The Department has made it very clear this kind of activity will not be tolerated."
Posted by Barney Magrew at 10:59:11 on October 15, 2012
Posted by jim young at 10:39:49 on October 15, 2012
@Therese: You are effectively saying that every New Zealander shouldn't need to lock their doors and have burglar alarms. Regardless of what you think, people will continue to rob houses and see how you get on with your insurance company under that scenario.
The reality is that WINZ should have safeguarded sensitive data. And they didn't. In fact, from what I have heard "hacking" in this case really was about as easy as walking into a house with no doors, or walls for that matter, on it.
Posted by Hai at 13:45:30 on October 15, 2012
Posted by Therese at 12:46:18 on October 15, 2012
Posted by Anonymous at 10:38:25 on October 15, 2012
Posted by Anonymous at 10:34:34 on October 15, 2012