Winz kiosk security flaw exposed

03:18, Oct 15 2012

Kiosks at a Wellington Winz office have been shut down and a ministry investigation launched a major security flaw was exposed.

Prime Minister John Key says the flaw is a "huge problem," and the Social Development Ministry has to work out what caused it.

The kiosks were shut down last night after Wellington freelance journalist Keith Ng reported on his blog that he was able to access thousands of files on the agency's servers from the computers in a Wellington Winz office.

He said he walked into a Winz kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.

Key this morning told TVNZ's Breakfast programme accessing the information was not easy, but he conceded it was a "huge problem".

"You had to go looking for it, but if you knew what to do, you could get in there," he said.

"But we just have to understand why because these terminals have been in play or use for well over a year."

"We live in a digital age and we need to make sure those systems are robust. Clearly there is a failure here, we just need to work out what caused it."

Kay Brereton, from Beneficiary Advocacy Federation, this morning told Radio New Zealand the discovery of a privacy flaw was nothing new.

She said about a year ago, she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.

MSD deputy chief executive Marc Warner last night issued a statement saying: "A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after."

He said the ministry had been alerted to Ng's discovery late yesterday and took immediate steps to secure the system.

Ng said he was shocked when he got access to ministry files through the kiosks, and it took him two and a half hours to download them on to a USB.

"It was very easy. You just could walk into any Winz office, jump on the computer, open up Microsoft Word."

"You can go jump on any computer in the corporate network, and within those computers they all have different things."

Ng said some files contained invoices and others had audio files, but the latter could not be opened.

"I think the problem was that they had their corporate network connected to public kiosks. That shouldn't have happened in the first place.

"The second thing that happened is they thought there was nothing sensitive in the invoices. They were really really wrong about that."

Ng gave assurances that he would pass on all the information to the Privacy Commission today.

Labour social development spokeswoman Jacinda Ardern called for an urgent inquiry into the security lapse at MSD public kiosks.

While the matter had been referred to the privacy commissioner nothing short of an independent inquiry would be enough to restore confidence, she said.


"It is the most serious breach of privacy I have seen. Unfortunately it joins a list of other departmental breaches that should never have happened."

It wasn't a personal error but rather a system flaw.

"This was information that could be found by anyone who knew how to click a mouse a few times. In fact a beneficiary advocacy group had previously raised the issue with the department."

The Dominion Post