MSD failure goes far beyond kiosk security glitch - expert
"Good on Mr Ng. He should be rewarded for his work on behalf of all those who seek privacy and rely on state services to keep private details secure."Featured comment
UPDATE OCT 15: A computer security expert has raised concerns that the Ministry of Social Development provides IT systems to the Canterbury Earthquake Recovery Authority.
Daniel Ayers, with forensic investigation company Elementary Solutions, pointed out to NBR that one of the screen shots posted by blogger Keith Ng shows a CERA server - indicating the Authority's computer systems were also inadvertently left open to the public.
Last night, Mr Ng revealed he head been able to access thousands of sensitive MSD files via a public computer kiosk in a WINZ office, using nothing for than an open file command in Microsoft Office and very basic computer skills.
Mr Ayers told NBR he had had no professional engagement with CERA, but even a cursory look at the Authority's website showed links to MSD systems.
The Ministry did not immediately respond to a request for comment.
Beyond the ability of any vaguely computer-savvy member of the public to access the information, Mr Ayers raises the concern that rogue MSD staff could access thousands of personal files - which could then be sold.
Not just about the kiosks
Meanwhile, Institute of IT Professionals New Zealand chief executive Paul Matthews says MSD's security woes appear to go far beyond the kiosks:
"While all the details haven’t yet come to light, the implications of this situation are very serious," Mr Matthews told NBR.
"As well as the clear issues of placing a publicly accessible system on an internal network containing highly sensitive data, the fact that any computer on the network can seemingly openly access these types of files points to a potential widespread systemic failure of IT security and governance.
"Unfortunately these types of incidents are becoming more and more common and it’s time our industry got more serious about accountability. This also adds significant weight to the calls for greater teeth for the Privacy Commissioner to investigate and deal with privacy breaches. These situations simply shouldn’t happen."
Mr Ng adds that at the very least, the kiosks - designed for job-seekers lookiing to browse for jobs, or send a CV - shoudl not have been connected to the MSD's corporate network.
PM: "Huge problem"
Social Welfare Minister Paula Bennett says she will not make any statement until fully brief by officials.
Prime Minister John Key has immediately waded in, however. This morning told TVNZ’s Breakfast that the situation was a “huge problem”.
“You had to go looking for it, but if you knew what to do, you could get in there," Mr Key said.“But we just have to understand why because these terminals have been in play or use for well over a year.
"We live in a digital age and we need to make sure those systems are robust. Clearly there is a failure here, we just need to work out what caused it."
MSD opens investigation after Ng exposes massive security hole
OCT 14: The Ministry of Social Development has closed computer kiosks and launched an investigation after blogger and self-styled data journalist Keith Ng revealed a massive security hole earlier this evening.
Describing the events of the past week on Public Address, Mr Ng (pictured) said he was able to access thousands of files on the agency's servers from computers at self-service kiosks in a Wellington Work and Income (WINZ) office, "just using the Open File dialogue in Microsoft Office".
Huge privacy breach
The files included MSD invoices, phone logs, correspondence with lawyers and other internal documents, plus thousands of sensitive client files including the names of candidates for adoption, lists of people who owe the ministry money, identifying details of children under CYFs care, including their medications, and the names of those suspected of benefit fraud.
Mr Ng also discovered passwords in plain text, offering even deeper access. Multiple screen shots were posted on Public Address as proof.
Files could be not just read but rewritten, he says.
In short, it makes ACC's privacy breach problems look like a stroll in the park.
MSD deputy chief executive Marc Warner said tonight, "MSD is very concerned about this and an urgent investigation is under way. We were alerted to this late yesterday and took immediate steps to secure the system."
In a statement sent to NBR ONLINE through his comms team, Mr Warner said, "Mr Ng has stated he accessed client information through Work and Income kiosks at two Wellington sites.
"We have closed all kiosks in all sites across the country to ensure no further information can be accessed.
"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.
"We understand the maintenance of public confidence in our ability to protect people's information is vital.
"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.
"I'm pleased Mr Ng has given an assurance that he will pass all the information to the Privacy Commissioner tomorrow morning and has guaranteed none of the information will be given to anyone else or placed in the public arena."
Earlier security lapse
The deputy CEO also revealed this was not the first time there had been trouble with the public kiosks.
"A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after," Mr Warner said.
The MSD did not immediately respond to an NBR request for it to elaborate on the earlier security issue.
Ng facing possible jail time?
Tech Liberty founder and Council for Civil Liberties executive committee member Thomas Beagle was quick to point out a relevant section of the Crimes Act:
Section 252 (1): Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
Asked by NBR if the MSD would take any legal action against Mr Ng, a spokewoman responded, "We only found out about this late afternoon today. Our first priority is understanding exactly how this has happened."
Mr Ng told NBR he briefed the MSD, but said he did not get a detailed response beyond the fact kiosks had been closed.
Asked if he got legal advice before he embarked on his escapade, the data journalist told NBR, "No, the kiosk was available to members of the public. But I did get legal advice once I figured out what I found, and I talked to the Privacy Commissioner prior to publication." [Read more on the legal question, including the battle of house break-in analogies, here.]