PM criticises Winz security breach finder

Brendan Boyle and Paula Bennett discuss the IT cracks found by Ira Bailey (left). Photo / Mark Mitchell

The Prime Minister has taken a swipe at the person who was first to discover a major security flaw in Work and Income's self-service kiosks.

Ira Bailey - one of 17 people arrested in the Urewera raids in 2007 and an IT analyst - found the issue with the system.

He says he told the Ministry of Social Development last Monday, before he tipped off blogger Keith Ng, who ultimately exposed the issue.

Mr Ng subsequently accessed thousands of documents such as invoices for children's medical care, before blowing the whistle publicly on Sunday night.

The ministry closed the kiosks and ordered an independent inquiry into the lapse and Mr Ng has handed over all the information he obtained to the Privacy Commissioner.

Social Development chief Brendan Boyle said the ministry was first contacted last week by a man who claimed there was a loophole in the system and had asked for a "reward" in return for his co-operation.

That is denied by Mr Bailey.

Mr Boyle said the ministry had not acted because the reference was "vague" and the man had not mentioned the kiosks.

Mr Bailey said he had simply asked if the ministry had incentive payments for people who pointed out security breaches.

"I called up on Monday 8th October to say there was a security leak and ask who to talk to. And I also asked was there an incentives scheme about security flaws, which is what Google and Facebook do."

PM criticises Bailey's involvement

This morning on TV3's Firstline, Prime Minister John Key was asked to comment on Mr Bailey's involvement.

He reiterated Mr Boyle's assertion that Mr Bailey had asked for cash in order to tell the Ministry where the problem was.

"I think the ministry's policy is they don't do that, so they started looking across their systems but they were looking in the wrong place," Mr Key said.

"Obviously it would've been better if the individual involved had actually told the government and not tried to charge the government some sort of fee. But he didn't, and goodness knows what he did with the blogger, I don't know if he gave it [the information] to him or sold it to him."

Mr Bailey has aid he was an IT expert by profession and did not usually work for free. The ministry called him back on Wednesday to say it would not pay.

He said he would have handed the information over at that point, but had already gone to Mr Ng about it. Mr Bailey said he came across the ministry files by accident, while looking for his USB stick on the system.

Mr Boyle said there were no plans to lay charges against Mr Ng for revealing the breach publicly but it was too early to say whether Mr Bailey would be charged.

The privacy breach is further salt in the wound of the Government after a succession of ACC breaches which prompted the Privacy Commissioner and State Services Commission to voice deep concern about the erosion of public trust in state departments.

Social Development Minister Paula Bennett last week announced plans for a new database of vulnerable children, which will allow information sharing by a number of agencies and professionals.

Yesterday, she said that the breach was embarrassing but she did not expect it to delay the database.

The MSD has closed down all the kiosks and hired professional services company KPMG to test systems to ensure they are secure.

Prime Minister John Key says Government chief information officer Colin MacDonald will conduct a Government-wide review of online information.