Winz security flaw existed for 13 years

By Kate Shuttleworth

File photo / NZ Herald
File photo / NZ Herald

Computer terminals used for 13 years by job seekers at Work and Income offices had the same security flaw as the self-service kiosks at the centre of the major privacy breach at Winz.

An independent report has revealed the computers used between 1998 and 2011 were also connected to Ministry of Social Development's corporate computer network allowing access to private information.

The kiosks' privacy flaw, publicised by blogger Keith Ng, was brought to the attention of the ministry more than a year ago by beneficiary advocate Kay Brereton after a training session on them, and again this year by Ira Bailey, an IT analyst and one of 17 people arrested in the Urewera raids in 2007.

In its report, accountancy firm Deloitte said the ministry's kiosk security settings were inadequate, but when the ministry learnt of the flaw its response was appropriate.

The ministry today confirmed the pre-kiosk "Worktrack'' computers had the same vulnerability as the kiosks, but no unauthorised access had been found and no complaints were laid with the Privacy Commissioner.

The kiosks were shut down on October 14 after blogger Keith Ng notified media and the Privacy Commissioner of the breach.

The training session was carried out on Worktrack PCs as the new kiosks system had been "tacked on'' them during the trial phase.

Ms Brereton's complaint was lodged with a senior business manager at Winz, and was passed on to the IT security team, but it was not formally logged.

Ministry of Social Development chief executive Brendan Boyle apologised to Ms Brereton in person for he poor handling of her complaint.

"He was professional - and I spoke to him about what they were going to do about making sure beneficiaries still have computer access.''

Mr Boyle has called the privacy breach slack and sloppy.

Social Development Minister Paula Bennett said she could not be blamed for the breach.

Of 7300 files downloaded by Mr Ng, Deloitte found 1432 included personal information such as a person's name and date of birth, and some description of the medical and legal services that were purchased.

The report showed ministry staff knew about the security risks at the kiosks.

Four people were being investigated at the ministry, and could lose their jobs.

Mr Boyle said people would be held accountable for the breach, but he would not be drawn on the details of such sanctions.

An independent barrister would carry our the employment investigation, which would look at whether staff acted appropriately with the information they had.

The Deloitte report said the February 2011 earthquakes in Christchurch could have contributed to the problem when 120 of 400 staff working on the set-up of the kiosk were sent to Christchurch.

"This caused many impacts including putting pressure on business as usual and project activities, and stress on personnel. This series of circumstances would likely have contributed to a lack of normalcy in the IT organisation during that time.''

Dimension Data were hired by the ministry to test the system and found in April last year that the security of the kiosks was flawed and should be corrected before they were launched.

Deloitte found the ministry's response to the findings was inadequate.

Dimension Data identified a lack of network separation and the existence of accessible network shares were the main security risks.

This was ignored, and the ministry went ahead and launched the kiosks.

- APNZ

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_a3 at 17 Apr 2014 13:50:31 Processing Time: 592ms