The News Drone

Calling it a massive data privacy breach is an understatement.

Calling it the most serious exposure of government data about private citizens may still be a little lean.

“Clearly, something’s gone terribly wrong,” New Zealand Prime Minister John Key said this week.

The data breach, already a scandal in NZ and attracting global attention, saw a catalogue of sensitive information about welfare clients publically accessible via up to 700 self-service kiosks located in Work and Income (WINZ) offices across the nation.

The Australian equivalent would be walking into a Centrelink office and casually looking up the names of children in state care and what medications they are prescribed, or who was under investigation for welfare fraud.

It’s sparked a government-wide review of the government’s data information policy and security protocols.

Journalist Keith Ng, who broke the story on this blog OnPoint  wrote “last week, I got tipped-off that the parts of the MSD (Ministry of Social Development) network were completely exposed to the public. You could go into any WINZ office and use their self-service kiosks to access their corporate network.”

“The longest session was for about two-and-a-half hours,” he said.

Not only accessible, but transferable on to a USB disk for anyone to remove.

How sensitive could this information be?

“It was mostly from an invoice server,” Mr Ng told SBS.

He says there were about 14,000 invoices accessible and he copied and viewed about 3,500.

“Things that you normally wouldn’t think of as sensitive, like invoices, in an organisation like MSD, can leak some really sensitive information.”

Astounding, actually. For example:
 

• Names of candidates for adoptions and foster parents

• Debt collectors' invoices, which listed the names of clients who owed money

• Names of children living in Child, Youth and Family care homes

• Addresses of the care homes

• Names of children and their medical prescriptions on pharmacy invoices

• Names of investigators and clients in fraud investigations

In one instance, a person who had attempted suicide, and their home town, was named in an invoice.

How unsecured could it have been?

The data was literally a few clicks away, at any one of the public terminals, via the PC the open file command in Microsoft Office.

 IT expert and activist Ira Bailey discovered the risk and approached the Ministry of Social Development (MSD) to enquire if there was a reward payment for highlighting potential security breaches.

The MSD, it appears, did not take him seriously.

“The IT stuff was mental. Password lists, server encryption keys, the main server that runs all the services, was open as a network drive. You could just copy the virtual services to a USB drive if you wanted. I couldn’t believe it, my brain imploded really,” he told RadioNZ.

The security flaws were reportedly previously known by the department, but Mr Ng says “it’s unclear as to how appropriate their response was”.

Interestingly, in terms of new journalism models, Mr Ng has crowd-sourced about $5000 in donations from the public after telling the story.

 A loophole in New Zealand’s crimes act may protect the pair from prosecution, given that the computer was intended for public use and he did not access the information for damage or gain.

“The key question is: what level of risk was reported and how did they deal with that risk,” Mr Ng said.

“Finding a security hole isn’t really a political act,”

That is yet to be seen.

Follow @andy_park