Thousands of files on the Ministry of Social Development's computer servers, including the personal details of at-risk children, have been accessed through a Wellington Work and Income job seeker kiosk.
Blogger Keith Ng described how he went into a WINZ office and used a self-service kiosk, normally used to look at job vacancies, to access up to 3500 files on the agency's server, "just using the Open File dialogue in Microsoft Office.''
Mr Ng said the files were PDF copies of MSD files and he has posted screen shots of what he found online.
He said on Sunday night on the Public Address blog site that he had managed to view an invoice to a community group who had supported a family after their family member attempted suicide (including the person's name), invoices relating to children in CYFS care (including addresses), sensitive client case notes, the names of candidates for adoption and passwords in plain text.
Mr Ng said all information he had obtained would be handed over to the Privacy Commissioner and he had sought advice from a media law expert prior to publication on the blog.
Mr Ng believed self-service kiosks at all WINZ offices will have the same lack of security.
"All the kiosk computers at all branches are identical virtual computers, they are copies of the same computer, basically,'' he said.
Mr Ng said he did not need to prove he was registered with WINZ in order to use the kiosks. "It's a self-service kiosk. Anyone can just walk up.''
The exposure of the lax security comes just a week after Minister of Social Development Paula Bennett announced the Government will work to "better share'' information on vulnerable children.
It is planned this will include notifications to CYF, hospital admissions and concerns of community providers or teachers.
Labour's spokeswoman for Social Development and Children, Jacinda Ardern said the security breach was "nothing short of staggering.''
Ms Ardern said the information shown by Mr Ng had "exposed a massive weakness''.
"There are vulnerable kids involved here, right at the time when the minister is proposing a new database and greater information sharing. The minister is going to have to not only rebuild security into the system, but restore people's confidence in it,'' said Ms Ardern.
MSD Deputy Chief Executive Marc Warner said MSD was concerned about the breach and an urgent investigation would be carried out.
He said they were alerted to the breach on Saturday.
"We took immediate steps to secure the system.''
Mr Warner revealed it was not the first time there had been a security issue with public kiosks, he said a security issue was raised during the establishment of the kiosks, but they had been rebuilt to fix the problem.
In a statement issued to media Mr Warner said: "We have closed all kiosks in all sites across the country to ensure no further information can be accessed.
"They will not be reopened unless, and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.''
"We understand the maintenance of public confidence in our ability to protect people's information is vital.
"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.
"I'm pleased Mr Ng has given an assurance that he will pass all the information to the Privacy Commissioner and has guaranteed none of the information will be given to anyone else or placed in the public arena,'' said Mr Warner.
- APNZBy Kate Shuttleworth @K8Shuttleworth Email Kate