Beneficiary Advocacy Federation spokeswoman Kay Brereton said she alerted officials to the fact members of the public could access sensitive information in July last year.
Ms Brereton said staff at the Wellington People's Centre (WPC) were trained to use the self-service kiosks when they were introduced at Work and Income (WINZ) offices.
"We were told we should encourage our clients to apply online and do a whole lot of things online at the kiosk. I took my collective down to WINZ so that we could have a bit of a play and find out what we could do on the kiosk."
She said an IT person from WPC found you could track backwards into WINZ's system.
AdvertisementAdvertise with NZME.
"We got to the place where we could find all the IP addresses for all the computers in the local network and we thought that was probably far enough.
"He called me over and said, 'Kay, what do I do now'. I said we had to let WINZ know we've got to here so they can fix this.
"We didn't want to be able to go back into the system - it's actually quite a significant ability to breach their system."
She said they alerted the WINZ representative who was training them. Ms Brereton said she then contacted WINZ national office to make sure they had received the message.
She says she dealt with someone in the corporate and governance department.
"I sent through an email from work to head office to let them know that this problem existed."
Ms Brereton said she had since left her job at the WPC but was shocked that the problem had not been fixed and the information was still available.