Govt orders review after flaw exposed

09:02, Oct 16 2012

Government Chief Information Officer Colin McDonald will conduct an urgent review of publicly-accessible information systems operated by the state sector.

The review comes after details of a major security flaw in the Ministry of Social Development's were exposed.

Blogger Keith Ng revealed on Sunday he was able to access thousands of private files on the agency's servers from kiosk computers in one of its Wellington offices. It included sensitive case notes, names of children in care and up for adoption, people who owed the ministry money, and the name of a person who had attempted suicide.

Last night he revealed his source was Ira Bailey, a systems administrator who was arrested in October 2007 as part of the police raid against a suspected terror plot but charges against him were later dropped.

State Services Commissioner Iain Rennie has asked McDonald to undertake an urgent review.

"Since the findings of the Privacy Commission report in August on the handling of private material held by ACC, the State Services Commission have been considering a wider role for the GCIO across the system.”


Ng today said the leaking of his source identifying security flaws at Work and Income (Winz), and suggestions he paid for information, are a distraction attempt by the Government.

Ng said he only named Bailey publicly after a journalist rang him saying they had been given his name.

Bailey had left his name and number when he called the Social Development Ministry last week to raise concerns about the vulnerability of Work and Income's systems.

On Thursday, Bailey's LinkedIn profile had been checked out by an adviser in Social Development Minister Paula Bennett's office, Ng said.

The Social Development Ministry had "categorically denied" leaking Bailey's name, Ng said.

"I have no evidence it came from the minister's office but I think that is a reasonable guess."

Ng said the Government wanted to "turn the conversation around" to focus on Bailey.

However, Bennett today denied the leak came from her office and Prime Minister John Key ruled out involvement from his staff.

Bailey's involvement was not her main issue, Bennett told reporters.

"I've got bigger issues to work my way through than that right now."

Bennett has been criticised in the past, including by the Human Rights Commission, for misusing private beneficiary information.

Prime Minister John Key today criticised Bailey for asking for money from the ministry and not identifying the kiosks as the security problem.

"[He was] just pointing to the system and wanting an incentive payment or wanting cash basically to tell us where the problem was," he told 3News.

"So they started looking, as you would expect them to, across their systems but they were looking in the wrong place."

Key said it would have been better if Bailey hadn't asked for money. "Goodness knows what he did with the blogger, I really don't know whether he gave it to him or sold it to him.''

Ng said Key's comment's were "clearly a distraction".

"I've bought (Bailey) two coffees and gave him a bite out of my pistachio pie. That is the complete list [of what] I have given him. I have not given him any cash at all."

Ng has raised close to $5000 in public donations through his website for his work.


Not enough was done after a report identifying problems with Winz kiosks was raised more than a year ago, Bennett said.

Social Development Ministry chief executive Brendan Boyle said this morning that it had received the Dimension Data report in April 2011, which identified flaws in its system.

"It does look like the same flaw," Bennett said.

Yesterday there were suggestions Dimension Data had tested the kiosks and found no problem, however Bennett said that innuendo should not have been made.

"They had identified a flaw, I think it's our responsibility now to find out if it had been followed up appropriately and you have to say, with what we're dealing with in the last few days, they haven't been."

It was not Bailey's or Ng's fault that there was a flaw in the system, Bennett said.

"The main issue is that people were able to access information that they shouldn't have been able to access."

Boyle earlier signalled his ministry may be at fault for not responding adequately to warnings about computer security flaws.

"We will be asking Deloitte to determine what we did to follow up this [Dimension Data] report's recommendations and whether our response was adequate.

"Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data's recommendations on security. I will look to the review to provide me with the answers," he said.

Deloitte would review the ministry's computer security.

He confirmed that KPMG was not engaged to test the public kiosks. "They have, however, been engaged in doing testing on other parts of our system."

"Our immediate aim is to resolve any security problems and restore public confidence in our systems," Boyle said.

- Kate Chapman, Vernon Small, Danya Levy and Andrea Vance