Member log in

MSD failure goes far beyond kiosk security glitch - expert

UPDATE OCT 15:  A computer security expert has raised concerns that the Ministry of Social Development provides IT systems to the Canterbury Earthquake Recovery Authority.

Daniel Ayers, with forensic investigation company Elementary Solutions, pointed out to NBR that one of the screen shots posted by blogger Keith Ng shows a CERA server - indicating the Authority's computer systems were also inadvertently left open to the public.

Last night, Mr Ng revealed he head been able to access thousands of sensitive MSD files via a public computer kiosk in a WINZ office, using nothing for than an open file command in Microsoft Office and very basic computer skills.

Mr Ayers told NBR he had had no professional engagement with CERA, but even a cursory look at the Authority's website showed links to MSD systems.

The Ministry did not immediately respond to a request for comment.

Beyond the ability of any vaguely computer-savvy member of the public to access the information, Mr Ayers raises the concern that rogue MSD staff could access thousands of personal files - which could then be sold.

Not just about the kiosks
Meanwhile, Institute of IT Professionals New Zealand chief executive Paul Matthews says MSD's security woes appear to go far beyond the kiosks:  

"While all the details haven’t yet come to light, the implications of this situation are very serious," Mr Matthews told NBR.

"As well as the clear issues of placing a publicly accessible system on an internal network containing highly sensitive data, the fact that any computer on the network can seemingly openly access these types of files points to a potential widespread systemic failure of IT security and governance.

"Unfortunately these types of incidents are becoming more and more common and it’s time our industry got more serious about accountability. This also adds significant weight to the calls for greater teeth for the Privacy Commissioner to investigate and deal with privacy breaches. These situations simply shouldn’t happen."

Mr Ng adds that at the very least, the kiosks - designed for job-seekers lookiing to browse for jobs, or send a CV - shoudl not have been connected to the MSD's corporate network.

PM: "Huge problem"
Social Welfare Minister Paula Bennett says she will not make any statement until fully brief by officials.

Prime Minister John Key has immediately waded in, however. This morning told TVNZ’s Breakfast that the situation was a “huge problem”.

“You had to go looking for it, but if you knew what to do, you could get in there," Mr Key said.

“But we just have to understand why because these terminals have been in play or use for well over a year.

"We live in a digital age and we need to make sure those systems are robust. Clearly there is a failure here, we just need to work out what caused it."

ckeall@nbr.co.nz


MSD opens investigation after Ng exposes massive security hole

OCT 14: The Ministry of Social Development has closed computer kiosks and launched an investigation after blogger and self-styled data journalist Keith Ng revealed a massive security hole earlier this evening.

Describing the events of the past week on Public Address, Mr Ng (pictured) said he was able to access thousands of files on the agency's servers from computers at self-service kiosks in a Wellington Work and Income (WINZ) office, "just using the Open File dialogue in Microsoft Office".

Huge privacy breach
The files included MSD invoices, phone logs, correspondence with lawyers and other internal documents, plus thousands of sensitive client files including the names of candidates for adoption, lists of people who owe the ministry money, identifying details of children under CYFs care, including their medications, and the names of  those suspected of benefit fraud.

Mr Ng also discovered passwords in plain text, offering even deeper access. Multiple screen shots were posted on Public Address as proof.

Files could be not just read but rewritten, he says.

In short, it makes ACC's privacy breach problems look like a stroll in the park.

MSD responds
MSD deputy chief executive Marc Warner said tonight, "MSD is very concerned about this and an urgent investigation is under way. We were alerted to this late yesterday and took immediate steps to secure the system."

In a statement sent to NBR ONLINE through his comms team, Mr Warner said, "Mr Ng has stated he accessed client information through Work and Income kiosks at two Wellington sites.

"We have closed all kiosks in all sites across the country to ensure no further information can be accessed.

"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.

"We understand the maintenance of public confidence in our ability to protect people's information is vital.

"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.

"I'm pleased Mr Ng has given an assurance that he will pass all the information to the Privacy Commissioner tomorrow morning and has guaranteed none of the information will be given to anyone else or placed in the public arena."

Earlier security lapse
The deputy CEO also revealed this was not the first time there had been trouble with the public kiosks.

"A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after," Mr Warner said.

The MSD did not immediately respond to an NBR request for it to elaborate on the earlier security issue.

Ng facing possible jail time?
Tech Liberty founder and Council for Civil Liberties executive committee member Thomas Beagle was quick to point out a relevant section of the Crimes Act:

Section 252 (1): Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

Asked by NBR if the MSD would take any legal action against Mr Ng, a spokewoman responded, "We only found out about this late afternoon today. Our first priority is understanding exactly how this has happened."

Mr Ng told NBR he briefed the MSD, but said he did not get a detailed response beyond the fact kiosks had been closed.

Asked if he got legal advice before he embarked on his escapade, the data journalist told NBR, "No, the kiosk was available to members of the public. But I did get legal advice once I figured out what I found, and I talked to the Privacy Commissioner prior to publication." [Read more on the legal question, including the battle of house break-in analogies, here.]

ckeall@nbr.co.nz

More by Chris Keall

Comments and questions
34

Full audit. Now.

agree - sounds like there are some seriously lax security practices happening at MSD. Prosecuting Mr Ng would not be a good move from a PR standpoint either

"A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after. "

What does that mean? So they found some other "security issue" that was more obvious than this one and rebuilt it, but some how overlooked this one?

I saw Mr Ng's post. Talk about the mother of all facepalms.

Classic. Finally something John Key actually can say he did not know about without blatantly lying to the whole of New Zealand AGAIN.

Will Paula Bennett take responsibility for any of this?

If she had a shred of integrity she would hand in her resignation and hopefully a more competent Minister would replace her, but the people who we elect to represent us don't do that sort of thing anymore.

Fools, this isn't a governance issue, it's an operations / management issue in the IT department.

Can't say I'm surpised by it. Guess someone at MSD will be signing up to WINZ on Monday morning. lol

No this is not simply an operational issue. The issue with the kiosks being able to access the network may or may not be a governance issue, depending on whether shortcuts were allowed in the kiosk project.

But the fact that all data is available to all users of the network is a governance issue. Clear data security policies should have originated from the top of MSD, and been enforced with proper controls - which employees have access to which files. This is an incredibly serious failure. Data security is a basic requirement of the MSD, and this is not simply making a mistake in how data security is enforced. This is no data security whatsoever. In my opinion the CEO of MSD and other executives need to be fired.

Beautifully done Keith.
It's a multi-faceted problem. A Department or firm with a culture of protecting privacy would never have allowed this to occur.
The correct response is to perform a no-fault investigation of how this occurred, and to close off all of the issues (and there will be many) that are unveiled. One of those issues may be regular external audits of systems, and another may be the appointment and, importantly, complete empowerment, of a senior security advisor. This is a systematic failure, and needs a systematic response - but not at the expense of usability and the work being done.

"The Acting Privacy Commissioner were briefed on this day, and I’ll be handing the files over to them tomorrow. This story took most of the week to do, so if you like it, some money would be greatly appreciated"

So for an entire week Ng knew of this problem, didnt tell anyone and is now asking to be paid by his readers for his time. If he's breached the Crimes Act he's also done with the intention for personal profit.

Why didnt he just tell them the second he accessed the files while in the office? Nope. Grandstanding and profiteering follows.

YEah sure and I bet you were the tattle tail at school too.

He didn't tell them because they already knew and had done nothing, sometimes public shaming is all that will work

Telling some staffer at a local office is unlikely to have generated any action. They are unlikely to have understood the implications of what they were being told,

Wow stunning, ACC will be breathing a sigh of relief as the privacy heat is now taken if them

Not surpring. Not a lot of competence to br found i govt. Depts

I think winz knew that it could be possible, and I guess thats why everytime I would go there too use the kiosk I be walking out feeling that they would look into my file at some stage. Do the case managers tap into these files and make amends or do call centre have access.

Good on Mr Ng. He should be rewarded for his work on behalf of all those who seek privacy and rely on state services to keep private details secure.

why should someone who rings the bell be jailed for informing WINZ?

If you want to donate you can. Keith set up a donate button (he does this kind of thing for free but some media outlet really needs to hire him ARE YOU LISTENING MAINSTREAM MEDIA?).

https://www.givealittle.co.nz/cause/msdleaks

What is it with these Govt departments?
Surely we the people can expect even a modest level of competence?
liberte

Will we ever find out:

1. If IT raised security issues, or if they never did;

2. If there is a channel to raise those issues;

3. If they actually have people competent in security;

4. If budget for security was refused or postponed.

Mr Ng deserves a medal, but I guarantee there will be the typical losers hell bent on spending their hours trying to hang him and covering up their colleagues ineptitude.

When I went into my local branch of WINZ with my CV on a portable USB drive, I was laughed at by staff for my lack of 'security savvy'. Obviously, they wouldn't let people put their USB sticks into their kiosks - the security risks were far too great. Thank you, Keith, for showing what those security risks were. My memory stick wouldn't have been big enough ...

WINZ's CIO was seconded from the GCSB, so no real surprise.

And WINZ's CE was formerly the Government's CIO, so no surprise there either.

No comment from Paula yet - it's her department.

It would seem that not much has changed since the 80's regarding govt worth ethics.....

NZ TV series from the 80's..
Gliding on.
http://www.nzonscreen.com/title/gliding-on-1981

In fact in the 1980s DSW did have proper in-house expertise and in combination with private contractors successfully built the SWIFTT benefits processing system. However, much of the departmental know-how was then incorporated into the software, automated and eventually lost to the departmental staff. Operation and development was outsourced to EDS leaving the department bereft of technical expertise itself. By the time I was briefly re-involved it was clear that utterly incompetent management was also in charge.

Clarification - I don't know for sure that is a CERA server, but given the IT links between MSD and CERA the question of whether or not the impact of this goes wider than MSD needs to be asked. Ultimately it will probably take a full review to find out.

Your article says "using nothing for than an open file command in Microsoft Office and very basic computer skills" ...

I'd like more detail please - what do the kiosks looks like? Are they like an airport checking kiosk for example? Are they a PC with Office?

Can we get some fact checking on what Ng says he did versus what the kiosks look like and whether Office is actually installed and/on the desktop?

Something's not right here. How many others might know about this and have been using "nothing more than an open file command" to do who knows what and for how long.

The kiosks are very much like the airport checking kiosks. They're in the waiting area by the entrance so that they're easy for the public to use. They have microsoft office installed as jobseekers are supposed to use them to work on their CVs
If you're not sure what exactly 'open file command' is, someone on public address has kindly provided a screenshot showing the steps involved (http://publicaddress.net/assets/upload/272401/199477387/steps-01.png) - this is something many people do everyday and could easily be done accidentally. You did not have to go looking for it or know what you were doing as John Key seems to think.

Over a decade ago I walked out of a WINZ project saying life was too short to get involved in an obvious disaster and that WINZ had contracted out its core IT functions and lost all in-house expertise.

They denied it but that project duly failed owing the taxpayer $35M and this present otherwise unbelievable incompetence shows my criticism remains accurate.

Ah well, that explains why no one is worried about possible spying by Huawei. But it doesn't explain why filesharing is so bad when it's enabled by Kim.com