CERA data possibly exposed in WINZ flaw

10:42, Oct 15 2012
Cyber security
SECURITY: PM says security flaw at Work and Income kiosks is a "huge problem" that needs to be fixed.

A major security breach which gave the public access to sensitive welfare case notes also allowed them to view scanned invoices from the Canterbury earthquake authority.

The invoices related to work paid by the Ministry of Social Development (MSD) on behalf of CERA to its suppliers, but did not include invoices about CBD demolitions, CERA acting chief executive Warwick Isaacs said.

Red Zone property settlements or any personal information held on Red Zone property owners was not included, Isaacs said.

Boyle, Bennett
FRONTING UP: Ministry of Social Development chief executive Brendan Boyle and minister Paula Bennett at today's press conference. Bennett says she still has confidence in Boyle.

Public Work and Income kiosks were shut down last night after it was revealed MSD's computer system could be accessed through them.

A ministry investigation has been launched after blogger Keith Ng reported that he was able to access thousands of files on the agency's servers from the computers in a Wellington WINZ office.

He said he walked into a WINZ kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.


The CERA information which was also accessible related to invoices held by MSD between December last year and last week.

It was not known if the information was viewed, but CERA would be advising its creditors where appropriate, Isaacs said.

Officials were looking into what information was available and what may have been seen.

The two organisations use the same information systems and share some information, a MSD spokesman said.

"There is some sharing but don't know the degree to which it is shared nor the degree to which it could be accessed."

Ng said it took him two and a half hours to download the MSD files on to a USB. "It was very easy."

"I think the problem was that they had their corporate network connected to public kiosks. That shouldn't have happened in the first place.

"The second thing that happened is they thought there was nothing sensitive in the invoices. They were really, really wrong about that."

Along with the ministry's investigation, an independent security expert will conduct an inquiry into the security breach.

Ministry of Social Development chief executive Brendan Boyle said the review would look at the public kiosks which allowed access to private information.

Boyle said he was grateful Ng was co-operating and would not release the information he managed to obtain.

However, Boyle said the department could not be sure no other breaches had been made, though said the information Ng accessed was not client files.

Once it knew what information had been accessed MSD would decide whether any clients needed to be advised.

"The buck always stops with the chief executive," Boyle said when asked who had responsibility.

Audit firm KPMG carried out regular checks and attacks on MSD's systems in a bid to highlight weak areas. They had not found any issues.

Social Development Minister Paula Bennett said she still had confidence in Boyle.

"I consider this very serious, as does the chief executive.

"To me it says a very significant mistake was made."


Assistant Privacy Commissioner Katrine Evans said the Commission was "very concerned" about the security breach and an investigation has been launched."Most of the data that we know about so far involves invoices and file server logs. We do not have evidence that the ministry’s client databases have been compromised, though obviously this is something we will be looking very closely at," she said.

"Protecting personal information is a cornerstone of public trust in both government and business, particularly in the digital environment – and this is one of several recent incidents that show that agencies need to up their game."

Evans said Ng had returned all the files this morning, and had not kept copies.

Prime Minister John Key said the security flaw is a "huge problem", and the Government has to work out what caused it.

Key this morning told TVNZ's Breakfast programme accessing the information wasn't easy, but he conceded it was a "huge problem".

"You had to go looking for it, but if you knew what to do, you could get in there," he said.

"But we just have to understand why because these terminals have been in play or use for well over a year.

"We live in a digital age and we need to make sure those systems are robust. Clearly there is a failure here, we just need to work out what caused it."


Kay Brereton, from Beneficiary Advocacy Federation, this morning told Radio New Zealand the discovery of a privacy flaw was nothing new.

She said about a year ago, she had tested the kiosks and found people could get into the ministry's system.

"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she said.

"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."

MSD deputy chief executive Marc Warner last night issued a statement saying: "a security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after".

However the original claim of security breaches a year ago was "quite different" to the most recent breaches, Boyle said.

The issue raised a year ago was around internet protocols.

The Dominion Post