http://www.stuff.co.nz/technology/7828278/Sweeping-MSD-privacy-review-unveiled
http://www.stuff.co.nz/technology/digital-living/7828573/Kiosk-debacle-not-black-and-white
Japanese-owned Dimension Data is very well qualified to perform security audits having acquired a top Kiwi specialist in the field, Security-assessment.com, in 2008
http://www.nzherald.co.nz/opinion/news/article.cfm?c_id=466&objectid=10840850
Do you trust the Govt with your personal information?
Prime Minister John Key has called for a Government-wide review of online information after the Government's largest security breach.
Up to 700 self-service kiosks located in Work and Income offices across New Zealand, linked to 1500 Ministry of Social Development (MSD) servers, were unsecured. That meant private information was fully accessible to anyone who used them.
The kiosks have been closed and the MSD servers were secured.
http://www.nzherald.co.nz/politics/news/article.cfm?c_id=280&objectid=10840789
PM criticises Winz security breach finder
The Prime Minister has taken a swipe at the person who was first to discover a major security flaw in Work and Income's self-service kiosks.
Ira Bailey - one of 17 people arrested in the Urewera raids in 2007 and an IT analyst - found the issue with the system.
He says he told the Ministry of Social Development last Monday, before he tipped off blogger Keith Ng, who ultimately exposed the issue.
Mr Ng subsequently accessed thousands of documents such as invoices for children's medical care, before blowing the whistle publicly on Sunday night.
"I think the ministry's policy is they don't do that, so they started looking across their systems but they were looking in the wrong place," Mr Key said.
"Obviously it would've been better if the individual involved had actually told the government and not tried to charge the government some sort of fee. But he didn't, and goodness knows what he did with the blogger, I don't know if he gave it [the information] to him or sold it to him."
Mr Bailey has aid he was an IT expert by profession and did not usually work for free. The ministry called him back on Wednesday to say it would not pay.
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10840563
Blogger Keith Ng described how he went into a WINZ office and used a self-service kiosk, normally used to look at job vacancies, to access up to 3500 files on the agency's server, "just using the Open File dialogue in Microsoft Office.''
Mr Ng said the files were PDF copies of MSD files and he has posted screen shots of what he found online.
He said on Sunday night on the Public Address blog site that he had managed to view an invoice to a community group who had supported a family after their family member attempted suicide (including the person's name), invoices relating to children in CYFS care (including addresses), sensitive client case notes, the names of candidates for adoption and passwords in plain text.
Mr Ng said he did not need to prove he was registered with WINZ in order to use the kiosks. "It's a self-service kiosk. Anyone can just walk up.''
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10840564
A barrister in information and privacy law says it is unlikely Keith Ng will face legal action for publishing the fact he'd seen a security gap in computer systems at WINZ offices, allowing sensitive information to be accessed.
John Edwards said Mr Ng's use of the WINZ computer system seemed to be authorised and it wouldn't be in the public interest to prosecute him for accessing private information.
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10840680
The Prime Minister said he was hesitant to jump to conclusions on what went wrong, but labelled the MSD systems as "quite old and quite chunky"despite the kiosk system being only two-years-old.
What the blogger found:
* Names of candidates for adoptions and foster parents
* Debt collectors' invoices, which listed the names of clients who owed money
* Names of children living in Child, Youth and Family care homes
* Addresses of the care homes
* Names of children and their medical prescriptions on pharmacy invoices
* Names of investigators and clients in fraud investigations
"This stuff was all a few clicks away at any Winz kiosk, anywhere in the country," Mr Ng said on his blog post.
"The privacy breach is massive, and the safety of vulnerable children was put at risk."
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10840860
Urgent review of Govt computer systems ordered
Disturbing' that security hole not fixed.
Earlier today, Social Development Minister Paula Bennett said it was disturbing that an IT company identified a major security hole in Work and Income's systems more than a year ago but it had not been fixed.