Cera invoices possibly exposed

Last updated 16:59 15/10/2012
Cyber security
SECURITY: PM says security flaw at Work and Income kiosks is a "huge problem" that needs to be fixed.

Relevant offers

Christchurch Earthquake 2011

National Portrait: Earth's rumblings a fascination for scientist Dr Ken Gledhill Government's 'third power' move on Christchurch red-zoning impinged human rights, report says Grieving earthquake widower shocked dodgy building materials still be used. Backlog of defective buildings and shoddy workmanship sparks calls for building warranties 'Overkill' central Christchurch intersection has 19 lights Home owners aghast at fee for Southern Response class action Court of Appeal seeks to rein in 'shemozzle' arising from CTV building case Christchurch Dilemmas: Taking power back in Christchurch Steel mesh in some homes could be non-compliant Housing provider set to use shipping containers for emergency housing

Invoices detailing payments from the Canterbury Earthquake Recovery Authority (Cera) to its suppliers could have been accessed due to a security flaw with Work and Income public kiosks.

LATEST: The public kiosks were shut down last night after it was revealed the Ministry of Social Development's (MSD) computer system could be accessed through them.

Today, it was revealed that information from Cera had also been open to the public as part of the breach.

In a statement, acting Cera chief executive Warwick Isaacs said the authority had been advised that an area storing Cera's scanned invoices was part of the corporate information that had been accessible through the kiosks.

Isaacs said the information included invoices paid by MSD on behalf of Cera to its suppliers between December 2011 and last week.

While Cera did not know if the information had been viewed, Isaacs said the authority would be informing its creditors of the potential breach "where appropriate".

All invoices for central business district demolitions, residential red zone property settlements and personal details of red zone homeowners were stored outside the MSD system and had not been accessed, Isaacs said.

A ministry investigation has been launched after blogger Keith Ng reported that he was able to access thousands of files on the agency's servers from the computers in a Wellington Work and Income office.

He said he walked into a Work and Income kiosk and was able to open files, including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed the ministry money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.

An independent security expert will conduct an inquiry into the security breach.

Ministry chief executive Brendan Boyle said the review would look at the public kiosks that allowed access to private information.

Ng said it took him two and a half hours to download the files on to a USB.

"It was very easy."

"I think the problem was that they had their corporate network connected to public kiosks. That shouldn't have happened in the first place,'' he said.

"The second thing that happened is they thought there was nothing sensitive in the invoices. They were really, really wrong about that."

Ad Feedback

Along with the ministry's investigation, an independent security expert will conduct an inquiry into the security breach.

Labour social development spokeswoman Jacinda Ardern today described the breach as "staggering".

"This is an appalling breach of privacy and comes on top of serious security lapses at ACC and the IRD," she said.


Kay Brereton, from Beneficiary Advocacy Federation, today told Radio New Zealand the discovery of a privacy flaw was nothing new.

She said that about a year ago she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.

"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she said.

"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."

MSD deputy chief executive Marc Warner last night issued a statement saying: "A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after".

He said the ministry had been alerted to Ng's latest discovery late yesterday and took immediate steps to secure the system.

- The Press


Special offers
Opinion poll

Which memorial design do you like most?

Memorial Wall with a reflective pond

Table and Chairs

A Green and Peaceful Landscape

Call and Response

Riverside Promenade

A Curved and Inclusive Memorial Wall

Vote Result

Related story: Christchurch earthquake memorial designs unveiled

Featured Promotions

Sponsored Content