Security breaches show ineptitude

00:00, Oct 17 2012

Here we go again - another example of ineptitude in a government department.

The revelation that blogger Keith Ng was able to access thousands of private files on the Ministry of Social Development agency's servers from kiosk computers in a Wellington Work and Income office, follows on from lapses at ACC.

Prime Minister John Key has denied Government agencies have been too lax with private information.

A massive privacy breach by ACC last year, in which details of 6700 claimants, including 250 sexual abuse cases, were inadvertently emailed to fellow claimant Bronwyn Pullar, involved human error and an old system, he said.

Work and Income public kiosks were shut down on Sunday night after it was revealed the Ministry of Social Development's computer system could be accessed through them. The latest security breach included sensitive case notes, names of children in care and up for adoption, people who owed the ministry money and the name of a person who had attempted suicide. A ministry investigation has been launched.

The story doesn't stop there, either. Not only is there a question mark about who leaked the name of Ira Bailey as Mr Ng's source, but the revelation that Beneficiary Advocacy Federation spokeswoman Kay Brereton alerted Work and Income a year ago that its self-service computers had a security flaw.


Mr Ng says the leaking of his source, and suggestions he paid for information, are a distraction attempt by the Government. It's been revealed his source, Mr Bailey, was a systems administrator who was arrested in October 2007 as part of the police raid against a suspected terror plot. Charges against him were later dropped.

Mr Ng says he only named Mr Bailey publicly after a journalist rang him saying they had been given his name. Mr Bailey had left his name and number when he called the Social Development Ministry last week to raise concerns about the vulnerability of Work and Income's systems. On Thursday, Mr Bailey's LinkedIn profile had been checked out by an adviser in Social Development Minister Paula Bennett's office, Mr Ng claims. The Social Development Ministry has "categorically denied" leaking Mr Bailey's name, Mr Ng says. "I have no evidence it came from the minister's office but I think that is a reasonable guess." All murky stuff. Mr Ng's claims certainly seem feasible.

Meanwhile, Ms Brereton says an IT person from the Wellington People's Centre found they could get into the system and get IP addresses, but didn't go further and alerted Work and Income. She reported that over a year ago. Why was nothing done? The problem could have been fixed there and then.

Despite warning the ministry, Ms Brereton says that instead of finger-pointing over the issue, it needs to be acknowledged there is a problem and it needs to be solved. She wants to see the self-service computer kiosks back up and running because they were useful to beneficiaries.

With people always willing to test security, it's imperative government departments guard against breaches as much as possible. There's no excuse not to have tight security, even more so when you've been warned about security worries a year prior.