State Services Commissioner Iain Rennie has formally asked the Government Chief Information Officer Colin McDonald to carry out an urgent review of publicly-accessible systems operated by State Services.

Mr Rennie said the Work and Income kiosk security failure had seriously breached any trust New Zealanders had in the Government.

"It is imperative that Government takes the lead to reassure the public and repair the damage that has been done to this trust,'' said Mr Rennie.

He said Mr McDonald will contact all government agencies directly, to seek assurance that their computer systems are robust.


"Mr McDonald will lead public service agencies in evaluating and strengthening their ICT security measures to ensure that there are no systemic faults that could cause additional security issues.''

Since the findings of the Privacy Commission report in August on the handling of private material held by ACC, the State Services Commission has been considering a wider role for Mr McDonald across the system.

"The use of technology to further improve access to public services is essential, but this needs to be delivered while ensuring personal information is protected,'' Mr Rennie said.

Disturbing' that security hole not fixed.

Earlier today, Social Development Minister Paula Bennett said it was disturbing that an IT company identified a major security hole in Work and Income's systems more than a year ago but it had not been fixed.

The Ministry of Social Development revealed this morning that IT company Dimension Data had tested the self-serve kiosks in April last year and identified issues of concern.

Ms Bennett confirmed the report identified the same problem which was revealed this week by blogger Keith Ng, who had easily accessed thousands of copies of invoices with personal details on them through the kiosks.

"What we now need to work out is was [the report] acted on, how was it acted on and obviously it wasn't well enough or we wouldn't be in this situation today.''


Ng has handed all his information to the Privacy Commissioner and MSD has contracted Deloittes to investigate the actual breach in question as well as MSD's wider computer security.

Ng was tipped off about the hole by Ira Bailey - an IT analyst who told the Herald he came across it by mistake while he was using a kiosk and was trying to find his USB stick.

He had initially gone to the MSD to warn them of a hole and asked if they had incentive payments for reports of security flaws similar to those offered by Google or Facebook.

Ms Bennett said the issue of Ira Bailey asking about some form of payment in return for the information before he went to Ng was only a "side issue'' and she had bigger problems to deal with.

She said Mr Bailey and Ng had ultimately done the department a favour.

"I feel no ill-feeling towards any of them. At the end of the day, it's not their fault there is such a security flaw in the system and that is quite frankly the responsibility of the ministry. The main issue is that people were able to access information they shouldn't have been able to access.''

Asked if she believed Mr Bailey had tried to 'blackmail' the Ministry of Social Development in return for his cooperation, she said she believed he was asking for a 'reward.'

"You can take from that what you want to.''

Asked if Mr Bailey's name was leaked to the NZ Herald from within their offices, both Prime Minister John Key and Ms Bennett said not as far as they were aware.

Ms Bennett said the Ministry of Social Development had said the leak had not come from them and she took them at their word.

What Deloittes will look at

Earlier today the Ministry of Social Development's chief executive Brendan Boyle said he wasn't confident that a warning about security flaws 18 months ago was acted on properly.

Mr Boyle said the ministry received a report from Dimension Data in April last year identifying "flaws" in its system.

"We will be asking Deloittes to determine what we did to follow up this report's recommendations and whether our response was adequate.

"Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data's recommendations on security. I will look to the review to provide me with the answers," Mr Boyle said.

"I can confirm that KPMG was not engaged to penetration test our public kiosks. They have, however, been engaged in doing testing on other parts of our system."

Mr Boyle said the ministry's immediate aim was to resolve any security problems and restore public confidence in its systems.

The Deloittes review would happen in two phases.

The first would deal with the immediate security of its public kiosks. It would look at what happened, how secure information was able to be accessed and how it could be prevented from happening again.

The second phase would involve a broader look at security across all the ministry's IT systems, including policies, governance and culture.

How the flaw was discovered

It has been revealed that Ira Bailey - one of 17 people arrested in the Urewera raids in 2007 - was the first to discover the major privacy flaws in the self-service kiosks.

Mr Bailey, an IT analyst, said he told the ministry last Monday that there was a security issue before he tipped off blogger Keith Ng.

Ng subsequently accessed thousands of documents such as invoices for children's medical care, before blowing the whistle publicly on Sunday night.

The ministry closed the kiosks and ordered an independent inquiry into the lapse and Ng has handed over all the information he obtained to the Privacy Commissioner.

Mr Boyle said the ministry was first contacted last week by a man who claimed there was a loophole in the system and had asked for a "reward" in return for his co-operation.

The ministry had not acted because the reference was "vague" and the man had not mentioned the kiosks, he said.

Mr Bailey said he had simply asked if the ministry had incentive payments for people who pointed out security breaches.

"I called up on Monday 8th October to say there was a security leak and ask who to talk to. And I also asked was there an incentives scheme about security flaws, which is what Google and Facebook do."