UPDATE / April 10: Labour and the Ministry of Justice sparring over whether there was a serious problem with the Justice website - as publicised by Labour ICT spokeswoman Clare Curran just three hours after it occured.
Yesterday, Ms Curran said a "concerned member of the public" had alerted her to a security flaw that "leaves the personal and financial details of tens of thousands of New Zealanders potentially exposed."
Late in the day, deputy secretary for organisational development and support Rose Percival told NBR, “There has been no privacy breach and no release of private information."
She added, “What has occurred is that someone has accessed an administrative file in a Ministry website. The Ministry has identified how the person accessed the administrative file and has closed the affected website while it addresses this issue. It will be running again as soon as testing of the changes is complete. Unfortunately, no website, just like no building, is completely secure if people are determined to get into it."
Justice did not immediately respond to an NBR follow-up asking about the contents of the administrative file that was accessed.
Ms Curran is in no doubt. She told NBR, "The passwords to important parts of the MoJ website including databases and financial payments were displayed in plain text on a file accessible to someone with basic computer knowledge."
Whatever it does contain, Ms Percival maintains "only a person with IT skills deliberately trying to get into a Ministry IT system" could have accessed the administrative file.
Ms Curran says Justice, backed by Justice Minister Judith Collins, has tried to re-frame the situation as a privacy issue, and focus on the fact no information was leaked.
The Dunedin South MP says it's a security issue, "and the fact they have shut down parts of the website proves the vulnerability is real."
She adds, "A second source has revealed today that 63,000 documents were accessible via the Tenancy Tribunal part of the website. Labour has done the right thing. Judith Collins is blaming the whistle blower."
Labour: tens of thousands of records potentially exposed on Justice website
APRIL 9: There seems to be yet another privacy problem for the public sector.
Labour ICT spokeswoman Clare Curran says she today alerted the Ministry of Justice of a serious security flaw in its website.
NBR has asked Justice for comment.
The MP says she gave the ministry three hours' notice before going public - a swift timeline that immediately drew flak on social media.
Ms Curran sas she waited until being advised the vulnerable part of the website had been taken offline before going public.
The vulnerability leaves the personal and financial details of tens of thousands of New Zealanders potentially exposed, and might allow a malicious person to redirect payments to and from members of the public, Ms Curran claims.
“This is a very serious matter. This is yet another gaping hole in the security of a major government site, with privacy and financial implications for a huge number of people,” says the Dunedin South MP says.
The security flaw allows access to Ministry of Justice passwords and databases, via a publicly accessible search engine on its website.
“The Ministry of Justice holds incredibly sensitive data – including information about the victims of crime. The Government has a fundamental duty to protect that information. This flaw, if exploited, could have a devastating effect on thousands of people.
“Earlier today I wrote to the Ministry of Justice, the Minister Judith Collins and the Privacy Commissioner alerting them to the issue, which must be addressed urgently.
“This matter was brought to my attention by a whistle-blower. That person has agreed to help the Ministry of Justice in any way they can to ensure the security flaw is fixed.
“This is the latest in a disturbingly long line of information technology security flaws and privacy breaches. There is clearly a major systemic problem with IT security.
“In the past two years more than 100,000 Kiwis have had their privacy breached by government agencies, including the ACC, MSD, IRD and EQC. This is an issue of public trust and confidence in government systems.
“The National Government needs to treat this matter with the seriousness it deserves, and stop hiding behind human error as an excuse for not protecting people’s private information,” says Ms Curran
RAW DATA - LABOUR statement
Ministry of Justice security flaw Q & A
What is the nature of the security flaw?
The flaw allows access to what appears to be Ministry of Justice databases covering licences and fines. Those databases would likely include the personal details of many victims of crimes.
Access to the page containing passwords for the databases was found via a publicly accessible part of the Ministry of Justice website.
How serious is this vulnerability?
This is a serious flaw. The passwords were contained in a plain text file, and those passwords could be used to access incredibly sensitive information, and could potentially allow someone to alter fines payments and financial records.
The MoJ website is very vulnerable to anyone who is serious about trying to break into it. The MoJ website’s security is nowhere near an acceptable standard.
Potentially how many people’s information is at risk because of this problem?
That is not clear. But the databases in question could include information about people that the Courts have imposed a fine upon, and any victim of crime that is receiving reparations. At the very least the databases also hold the details of those with licences issued by the Ministry of Justice.
How did Clare Curran become aware of the issue?
Clare Curran was contacted by a concerned member of the public, who identified the vulnerability. That person contacted her in the hope that she could help expose the problem and get it fixed.
The whistle-blower did NOT access the Ministry databases, but did view the plain text file that contained the passwords. This confirmed the seriousness and extent of the security issue. This file has been passed on to the Ministry of Justice.
Clare Curran will not be publicly identifying her source, but they have agreed to help the Ministry of Justice to address this problem.
Chris Keall
Wed, 10 Apr 2013
Wed, 10 Apr 2013
© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
In face of Justice denials, Labour insists there was serious website security breach
28541