Winz breach: Blogger unlikely to be prosecuted

By Michael Dickison, Kate Shuttleworth, APNZ staff

Keith Ng used these kiosks to uncover private information about MSD clients. Photo / file
Keith Ng used these kiosks to uncover private information about MSD clients. Photo / file

A barrister in information and privacy law says it is unlikely Keith Ng will face legal action for publishing the fact he'd seen a security gap in computer systems at WINZ offices, allowing sensitive information to be accessed.

John Edwards said Mr Ng's use of the WINZ computer system seemed to be authorised and it wouldn't be in the public interest to prosecute him for accessing private information.

"I don't think there would be any prosecution - he's not made any use of the information, he hasn't published it. He's drawn it to the attention of the appropriate authorities.

"It's unlikely he's committed an offence - he was authorised to have access to that system.

"If you put a computer out in the middle of the room and say, here help yourself, and fail to take adequate steps to fence off different parts, then it's hard to say someone has had unauthorised access.''

Mr Edwards said it was important for the Ministry of Social Development to have a systematic and methodical review of implications of any new computer system or database which collects or uses personal information.

"Before they rolled out the kiosk concept they should have thoroughly tested it and got people to review its implications and try to break it - if they'd done that a year ago when they put it in place then they would have picked it up.

"They need really good mechanisms for notifying privacy breaches and actioning them - these issues were brought to the attention of the department over a year go.''

He said this sort of security gap was something you'd expect "in a 1990s initiative''.

Mr Edwards has been on the staff of the Office of the Ombudsmen, the Privacy Commissioner, the Ministry of Health and the State Services Commission.

Meanwhile, the Assistant Privacy Commissioner said it was positive Mr Ng had brought a security breach at the Ministry of Social Development to the public's attention.

Katrine Evans said she was notified last night about the files Mr Ng had taken from a WINZ public-access kiosk on a USB stick and immediately contacted the Ministry of Social Development.

"We had a conversation about him returning the files to us, which he has now done, and the need to close the kiosks so that nobody else could go through he same security loophole.

"Even from the little we know, there is very sensitive personal information on there and there's other confidential information too which was obviously accessible - so we are treating it very seriously.

"Any time we have an episode like this, it has the capacity for very serious damage to trust in Government and in business.

"I think people are waking up to the fact that protection of personal information is one of the foundation stones of good government and good business.''

Minister to meet staff

Social Development Minister Paula Bennett was today due to meet her Ministry staff to find out how computer files containing private details of clients could be obtained from public access kiosks in Work and Income offices.

It's a security breach that's been labelled a "failure" by the Prime Minister.

And this morning a beneficiary advocate claimed the Ministry of Social Development was made aware of the flaw in its computer servers more than a year ago.

MSD - urgent investigation underway

MSD deputy chief executive Marc Warner said last night an urgent investigation had started.

"We have closed all kiosks in all sites across the country to ensure no further information can be accessed," he said in a statement.

"They will not be re-opened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts."

What the blogger found:

Keith Ng, who blogs on publicaddress.net, wrote in a post at 10pm last night that he had followed up on a tip-off about the security lapse last week.

He had gone to two Wellington offices and found anyone could open private files through public computer kiosks.

Mr Ng said data exposed to public view included:
* Names of candidates for adoptions and foster parents
* Debt collectors' invoices, which listed the names of clients who owed money
* Names of children living in Child, Youth and Family care homes
* Addresses of the care homes
* Names of children and their medical prescriptions on pharmacy invoices
* Names of investigators and clients in fraud investigations

"This stuff was all a few clicks away at any Winz kiosk, anywhere in the country," Mr Ng said on his blog post.

"The privacy breach is massive, and the safety of vulnerable children was put at risk."

Also among the thousands of documents Mr Ng accessed were contractors' invoices, legal bills, medical reports and an invoice from a community group that had given support to a family after a suicide attempt. It listed the person's name.

'There is a failure here' - Prime Minister

John Key said on TVNZ's Breakfast he had spoken with Social Development Minister Paula Bennett this morning about the breach.

"Like everybody, she's very concerned,'' he said.

"At the end of the day people are increasingly accessing information from the Government electronically - we live in a digital age and we have to make sure that those systems are robust and clearly there's a failure here and we just have to work out what's caused it.

"They have closed down those self-serve, self-kiosk computer terminals until they can find out exactly what's gone wrong and why.

"Clearly there is a failure here.''

Mr Key believed it wasn't easy for the files to be accessed - he said "you had to go looking for them''.

Political reaction: 'It's astounding'

Labour MP Jacinda Ardern described the breach as 'appalling' and said it comes on top of serious security lapses at ACC and the IRD.

She says the creation of a shared database to monitor vulnerable children - central to a white paper released by Social Development Minister Paula Bennett last week - now needs to be looked at.

"It raises serious doubts about the Department's ability to properly protect the highly sensitive information it holds, and while the compromised data is now in the hands of the Privacy Commissioner, the damage has been done.

Ms Ardern disagreed with Prime Minister John Key that the information wasn't easily accessible, saying it was just a few clicks away.

Green Party co-leader Metiria Turei said the breach was another blow to public trust in the ability of Government agencies to safeguard the confidential data they hold.

She said the privacy breach was symptomatic of a ministry with a low regard for client privacy.

"The Ministry of Social Development has repeated ACC's privacy breach debacle, with details including housing and pharmacy records of children in CYF care being publicly available via self-service kiosks at Work and Income branches across the country.''

MSD: Guarantee information will not be shared

Mr Warner said Mr Ng had guaranteed none of the information he saw would be given to anyone else or placed in the public arena.

But it was not clear last night how long the information had been exposed to the public and how many people might have accessed it.

Commenters online said the public kiosks were only the tip of the iceberg.

There had been a fundamental lack of security - the files and servers were apparently wide open to anyone within the ministry's internal network.

The ministry said the system had already been rebuilt once after a security issue was raised during the establishment of the kiosks.

"We understand the maintenance of public confidence in our ability to protect people's information is vital," Mr Warner said.

"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight."

- NZ Herald

Your views

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on production apcf01 at 27 Dec 2014 00:51:20 Processing Time: 474ms