NZ POLITICS DAILY: Embarrassing is an understatement

‘Embarrassing’ is how Ministry of Social Development chief executive Brendan Boyle described it, in what may be the understatement of the year. Freelance journalist Keith Ng’s expose of a massive security hole is exactly what the Government did not need right now. Attaching the wrong file to an email is embarrassing. This is in another league altogether. It is an unwelcome addition to an already long list of bungles that challenge the Governments basic competence. Ng’s full report is here: MSD's Leaky Servers.

While the list of highly confidential client information Ng actually downloaded and viewed is frightening, he only looked at a fraction of what was downloaded which was, in turn, only a fraction of the files he had access to: ‘There are probably more outrageous things still on that server, and there probably other servers that I’ve completely missed. But I’m done for now. This stuff was all a few clicks away at any WINZ kiosk, anywhere in the country. The privacy breach is massive, and the safety of vulnerable children was put at risk.’ Ng was tipped off by someone who had asked WINZ if they would pay for telling them about it. Ng named his source (because it had already been leaked to another reporter) as Ira Bailey, one of the 17 people originally charged in the Urewera case – see Ng’s The Source.

This has, of course, been leapt upon by bloggers on the right, calling into question Bailey’s and, in some cases, even Ng’s motives (see David Farrar's Ira Bailey and Keeping Stock's So many questions...). Even the Prime Minister has implied that Ng may have purchased the information from Bailey, without offering any evidence – see: PM criticises Winz security breach finder.

This looks to have been a deliberate diversionary tactic according to Andrew Geddis who says the leaking of Bailey’s name could only have come from WINZ: ‘And it seems pretty clear (at least, to me) that that information got shuttled out to a journalist as quickly as possible as a diversion tactic from the actual substance of the story - that the personal (and in some cases very personal) information of many tens-of-thousands of individuals was left lying around in a place where literally anyone could get to it’ – see: The first messenger that gave notice of Lucullus's coming....

So often in politics the high profile casualties are caused by later attempts to cover up or divert attention. Given the Government’s experience with the ACC train wreck you would think they would hesitate before attacking the messengers. Actually leaking private data to divert attention from a massive privacy breach would be madness but, given the track record this year, you couldn’t rule it out.

The use of the WINZ’s own public kiosks to access the data is only part of the story say IT experts. The real issue is the entire system’s security. Daniel Ayers, of forensic investigation company Elementary Solutions, pointed out to the NBR that a CERA server also appeared to be inadvertently left open to the public – see Chris Keall’s MSD failure goes far beyond kiosk security glitch – expert. Independent IT consultant Matthew Poole told Radio New Zealand ‘as far as security breaches go, this is as bad as it gets - akin to leaving the door of a bank open so people can help themselves’ – see: RNZ’s MSD breach 'raises questions' about entire IT network.

The kiosks have merely revealed the failure of MSD to take basic security precautions writes Danyl Mclauchlan: ‘If someone gets a temporary contract, or an entry level data-entry job at MSD they’ll still have access to all the private information Keith obtained through the kiosks’ – see: Open government.

The system itself is only two years old. Officials were warned of a very similar (or possibly the same) problem by beneficiary advocate Kay Brereton over a year ago, which is alarming as it’s claimed the system was rebuilt and thoroughly tested as a result – see Kate Shuttleworth’s Winz alerted to security breach last year. The department is now having to admit that it failed to respond adequately to that warning: MSD concedes Winz security failure. Dave Armstrong (@malosilima) tweeted: ‘IT company tells you system is faulty. Pay $ and fix system. Blogger tells you - Pay 0$ but fix system. Beneficiary tells you – Ignore’. The twitter hashtag #MSDWTF has been running hot with other commentary on the issue.

Most embarrassing politically is the timing, just a few days after the Minister in charge ‘personally guaranteed’ to the nation the security of the proposed national database of children at risk of abuse. Not a good look writes blogger Martyn Bradbury: ‘It's like Paula is busy announcing a new orphanage opening on the front steps while ignoring the fact the building is on fire out back’ – see: If WINZ as unsecured as blogger suggests - how can you trust Bennett's data list? This is clearly a blow for Bennett, who was ‘mortified’ yesterday but, according to Vernon Small: ‘In truth she seemed somewhere between tears and anger during the joint press conference with chief executive Brendan Boyle’ – see: Security flaws spoil Bennett's high point. Perhaps Bennett should actually thank Bailey and Ng for their prompt work – if they had done the story next year and had downloaded the new database on a usb stick she would be an instant goner.

So what will happen now? In the good old days there would have been prompt resignations amongst management writes PR blogger Mark Blackham, to the advantage of those taking responsibility. These days ‘Despite the benefits of taking responsibility, personal ego and welfare are far stronger drivers. Which is why I predict that if anyone does finally resign over this mess, it will be much later, and after very much fuss’ – see: #WTFMSD: Taking responsibility.

The direct political fallout may be limited to acute embarrassment, unless it emerges that very high level warnings were ignored or the explicit policy of using technology to save money is to blame - see Toby Manhire’s The WINZ data fiasco – a symptom of “driving change for lower cost”? Manhire notes there is plenty of good advice about keeping information secure, although he cautions about the New Zealand Information Security Manual that it is published by ‘the - ahem – Government Communications Security Bureau.’

Other recent items of interest include:

* Full steam ahead for the asset sales – to court anyway. As many noted during the farcical consultation process over ‘shares-plus’, it was always going to follow that path and now the Government appears to be ready for it: ‘Finance Minister Bill English made it clear the timing of the Crown statement today was intended to flush out likely Maori Council and any other legal action "in the next week’ - see NBR’s Maori Council expects Crown to fight ‘all the way’ on water rights. Maori Council Co-chairperson Eddie Durie appears to be ready to oblige but says the Government’s desire for a judgement is ‘disappointing, as a fair Government should talk to the council about what it is trying to achieve’ – see RNZ’s SOE sale won't include special shares for Maori.

* Pita Sharples is ‘disappointed‘ but is sticking with National to ‘make a difference’ – see RNZ’s Court action over Maori water rights 'extremely likely'. The Maori Party may quietly be hoping that any court action by the Maori Council fails. If it succeeds National will likely be facing a fatal delay to a major policy which could only be resolved by legislation – and that would have to be a fatal blow to the coalition with the Maori Party.

* David Shearer is promising to keep the pressure on John key this week over the GCSB, despite copping much criticism for not being able to front with the video claiming to show John Key discussing Kim Dotcom with GCSB staff: ‘Make sure you have damning evidence in your hand before launching a crusade designed to out your political opponent as an outright liar and shorten their political career’ – see Fran O’Sullivan’s Shearer's 'fail' mark in school for scandal.

* Despite some contradictory recent polls (see Danya Levy’s Political polls look rosy from both sides) a lot of commentary has focused on National’s woes in Government and the increasing unity of the opposition: ‘Even when they are not actually co-ordinating their attacks, they appear to be working together’ says Audrey Young in Numbers starting to run against Key. When the going gets tough you sometimes have to contemplate doing things you have previously ruled out says Jane Clifton: ‘A symptom of this is Key’s recent non-committal responses to the old question: would he work with New Zealand First in a future coalition?’ – see: The NZ government’s unpopular policies. Being constantly on the defensive is a big problem says John Hatrtevelt in Slow-bleeding National needs some big hits and Brian Edwards is prepared to put his money where his keyboard is: $5 on Key to step down before the middle of next year thanks.

* The opposition is certainly full of helpful suggestions. Mana has joined Labour, the Greens and New Zealand First in the manufacturing inquiry, offering it’s financial transactions tax as a possible solution to bringing down the value of the dollar – see TV3’s Mana joins manufacturing sector inquiry. The inquiry would be easily dismissed as a political stunt except that organisations like the New Zealand Manufacturers and Exporters Association are backing it, with chief executive John Walley saying clearly: ‘There is a crisis. Expect to see more of what we've seen accelerating over the last couple of months’ - see Nicole Pryor’s Manufacturing crisis 'disastrous'. Opposition parties are still having their differences - over adoption reform at the moment – see Felix Marwick’s Labour, Greens apart on adoption reform.

* Hone Harawira had a busy day last Friday, getting arrested, charged, released and then heading to Kaikohe to share welfare protestor Sam Kuha’s first meal in thirty days – see APNZ’s From broken window to broken fast. Housing New Zealand’s claims that Glenn Innes tenants are being pressured to protest - see Simon Day and Michael Dalys’ MP Harawira charged over car's location. John Minto, who has himself been arrested at previous Glen Innes protests, disagrees in today’s Herald – see: Communities turfed out - you'd be angry too.

* The link between hunger at school and poor learning may be a myth according to Researchers at Auckland University's School of Population – see: Food and learning connection shot down.

* It is getting pretty clear that Shane Jones’ future in Labour is on a countdown. He is now being openly attacked by his colleagues – see Claire Trevett’s Curran blasts Jones' remarks. It at least shows Jones ‘still takes a casual interest in New Zealand politics’ says Danyl Mclauchlan in The kraken awakes.

* A former Labour MP and chief of staff has some advice for his leader – see: Stuart Nash’s Why Shearer Must Take The Education Portfolio In The Reshuffle.

* Auckland power consumers need to look past their wallets when they vote says Matt McCarten in Vector cheques powerful ploy just before the vote.

* There is a fear that style will triumph over substance when TVNZ replaces Close Up. That horse may have bolted …. See Joanne Carroll’s TVNZ splash out on makeup, wardrobe.

* Finally, Scott Yorke thinks we have to be careful about jumping to hasty conclusions in Another Day In The Life Of The Sensible Blogger.

Bryce Edwards

NZPD Editor (bryce.edwards@nzpoliticsdaily.co.nz)

MSD Security

Keith Ng (Public Address): MSD's Leaky Servers

Keith Ng (Public Address): The Source

Andrew Geddis (Pundit): The first messenger that gave notice of Lucullus's coming ...

Vernon Small, Danya Levy and Andrea Vance (Stuff): MSD concedes Winz security failure

Danyl Mclauchlan (Dim Post): Just a thought

Danyl Mclauchlan (Dom Post); And another thought

Keeping Stock: So many questions...

David Farrar (Kiwiblog): Ira Bailey