452 records leak in NZ Labour hack
The opposition New Zealand Labour Party has been embarrassed by the discovery of a major security flaw on its website that led to membership, credit card and other details to pass into the hands of a right wing blogger.
Today, Cameron Slater, who runs the Whaleoil blog, said the poor security on the website had placed party supporters' credit card details at risk. This is despite Labour officials earlier emailing 18,000 party members and supporters to try and offer reassurance.
"But given that their systems were open and exposed long enough that Google and nine other bots were able to cache the entire directory system there is a good chance that Russian or Nigerian scamsters also were able to obtain access to the database and credit card processing passwords that Labour left exposed," Slater blogged today.
Labour Party general secretary Chris Flatt today wrote to Slater demanding he destroy membership and other details, something the blogger has to date refused to do.
The controversy began on Sunday when the Herald on Sunday newspaper ran a story concerning the security flaw, which also referred to Slater's emails obtained from the website suggesting that the Labour Party was breaching rules concerning the use of taxpayer funds for party campaigns.
This led to a Labour outcry. It used IP addresses to detect that the ruling New Zealand National Party had also accessed its system.
National Party President Peter Goodfellow admitted his party staffers had accessed Labour's website to see if its own systems had the same weaknesses, but he denied passing on information to Slater, noting the blogger was a long-standing critic of his.
Labour has also complained to the privacy commissioner, which is monitoring the situation.
The party has admitted it could lose support over the issue, particularly if Slater carries out his threat to publish member names on his controversial website.
Party embarrassment was fuelled on Monday when Slater explained in a video post how he had obtained the information using just a web browser. According to Slater, no hacking was involved.
The Geekzone blog branded the simple lack of security "an epic failure on the part of Labour's web team" and said the party would have to ask "serious questions" about its IT staff.
"What has happened is the staff in charge of their websites have failed in the most basic steps to secure their websites, and it is not a design fault," said Nate Dunn, a developer and the blog's moderator.
"Hopefully this experience also teaches them not to store sensitive files online, especially not backups from their main website's MySQL database. I also question why credit card details are being stored online, the industry standard is to use a third-party credit card processor who stores (if required) credit cards securely, removing this liability for your own website," he said.