Money demanded in MSD files breach
The social development ministry was approached last week by a member of the public demanding money in exchange for help identifying website security breaches.
Ministry CEO Brendan Boyle says the ministry was contacted by a member of the public who told them their kiosk security was not robust enough.
“He indicated he would be prepared to co-operate with us if there was a reward for providing information. We made it very clear we didn’t provide money in situations like that.”
Mr Boyle says as a result, the ministry commissioned KPMG to take a closer look at all of the ministry’s IT systems.
He is set to release the terms of reference in the next 48 hours for an independent investigation looking at breaches in the security of its computer kiosks.
The kiosk files included thousands of sensitive client files including the names of candidates for adoption, lists of people who owe the ministry money, identifying details of children under CYFs care, including their medications, and the names of those suspected of benefit fraud.
Investigation confined to kiosks
The investigation, which he expects to take a fortnight, will initially examine breaches around the kiosk. And if it shows a broader review of ministry systems is needed, it will be commissioned.
Earlier, Institute of IT Professionals head Paul Matthews told NBR the MSD's security woes appear to go far beyond the WINZ kiosks.
"As well as the clear issues of placing a publicly accessible system on an internal network containing highly sensitive data, the fact that any computer on the network can seemingly openly access these types of files points to a potential widespread systemic failure of IT security and governance," Mr Matthews said.
An internal task force will also be established to support the review and Mr Boyle will remain in close contact with the Privacy Commissioner.
Social development minister Paula Bennett says she is "mortified" by the breach but still has confidence in Mr Boyle.
Mr Boyle says the situation is being taken extremely seriously. “Ultimately, the buck stops with the CEO.”
Security tests failed
The ministry regularly works with KPMG and Dimension Data, to carry out "penetration testing" – to attack the websites and expose their vulnerability, he says.
KPMG's involvement had not included penetration testing of the WINZ kiosks. That work was carried out by Dimension Data.
“This ‘penetration testing’ has now been accelerated and intensified.”
He says while KPMG’s tests last week did not expose any vulnerability, he is confident future testing will.
Unclear if man connected to Ng
Mr Boyle says the man who contacted the ministry last week said he was working with a journalist “and clearly that is what emerged over the weekend”.
However, Mr Boyle later said he could not be sure the man was working with blogger and whistle blower Keith Ng.
NBR asked Mr Ng whether the man was his source, or if he had any other connection to him. The blogger would only reply, "I'm not going to talk about my source, sorry."
Mr Boyle says it is too early to say whether he will be referring the matter, and Mr Ng, to police, although he admits it is not his intention.
He is simply grateful to Mr Ng for not making public the information and for co-operation with the ministry and the Privacy Commissioner.
Mr Ng had been constructive and cooperative in contacting the ministry and handing over data to the Commissioner.
Privacy Commissioner: no evidence client files compromised
Separately, a statement, Assistant Privacy Commissioner Katrine Evans said she was satisfied Mr Ng had handed over all of the data.
"Most of the data that we know about so far involves invoices and file server logs. We do not have evidence that the Ministry’s client databases have been compromised, though obviously this is something we will be looking very closely at," the Assistant Commissioner said.
"Our first priority was to make sure that the kiosks were closed so that no further information could be accessed. We spoke to the Ministry yesterday evening and got assurances that the kiosks would be closed before the service centres opened this morning.
"Secondly, we wanted to make sure that the information that had been downloaded was returned to us so that people did not need to be worried about its security. The blogger has given us the information this morning. He has not kept copies."
The office of the Privacy Commissioner was now investigating the incident.
"Protecting personal information is a cornerstone of public trust in both government and business, particularly in the digital environment – and this is one of several recent incidents that show that agencies need to up their game," Ms Evans said.