NZ child-protection details were open to public download

New Zealand's Ministry of Social Development has shut down its public kiosks after a blogger discovered he could use them to access the ministry's corporate network.
Written by Michael Lee, Contributor

New Zealand's Ministry of Social Development (MSD) has about 140 Work and Income self-service centres throughout New Zealand, although public kiosks may not be installed at all of them. Through one, freelance journalist and blogger Keith Ng discovered (via an anonymous tip) that although there were rudimentary measures to protect them from the rest of the corporate network, access could be gained by mapping network drives via an Open File dialog in any Microsoft Office application.

Ng's perusal of the network turned up a large amount of business information, such as server logs, contractors, companies that owe MSD money, and legal advice invoices; but it also included the personal information of New Zealand customers, such as children in care and protection, their medications, and invoices for those in MSD's high and complex needs program.

Ng noted: "These invoices contain the full names of kids in the HCN program and the cities they live in. In a few cases, they also contain the date of birth and the name of the school which they attend."

Ng briefed the acting privacy commissioner when he discovered the breach, and said that he would hand over the information that he had obtained.

In the meantime, MSD has closed all kiosks while it re-examines its security.

"We have closed all kiosks in all sites across the country to ensure no further information can be accessed. They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts," MSD deputy chief executive Marc Warner said in a statement.

"We understand the maintenance of public confidence in our ability to protect people's information is vital. I want to give the public an assurance that we are doing everything possible to fix this, and our people have been working overnight."

Warner did not say whether Ng's actions would warrant charges against him, but said he appreciated the fact that Ng had done the right thing by submitting the information to the Privacy Commissioner and not putting it in the wrong hands.

"I'm pleased Mr Ng has given an assurance that he will pass all the information to the Privacy Commissioner this morning, and has guaranteed none of the information will be given to anyone else or placed in the public arena," he said.

Ng has sought legal advice, though it is currently subjective as to what he could be charged with, even if MSD does pursue legal action. Section 252 of New Zealand's Crimes Act 1961 states that unauthorised access to a computer system is a crime "knowing that he or she is not authorised to access that computer system," but section 252 (2) provides an exception, stating that the aforementioned clause "does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access." It could be argued that Ng did have access, since it's a public service, and that he was using it for another purpose.

The New Zealand Labour Party was quick to condemn MSD for the security lapse.

"It raises serious doubts about the department's ability to properly protect the highly sensitive information it holds, and while the compromised data is now in the hands of the Privacy Commissioner, the damage has been done," said Labour spokesperson Jacinda Ardern.

"The minister must urgently demonstrate that she has put greater security around her department's systems, both to restore the public's confidence, but most importantly to ensure the safety of vulnerable children."

Green Party co-leader Metiria Turei also lambasted Minister for Social Development and Employment Paula Bennett, under whose watch the security bungle occurred.

"Given the poor example set by their minister, it is hard to see how the Ministry of Social Development can improve their practices with regards to client privacy," Turei said.

"Section 6, Principle 5 of the Privacy Act 1993 states that the ministry must do 'everything reasonably within the power of the agency' to prevent unauthorised use of the private information they hold.

"By having private information available to anyone who walks in off the street, the ministry has fallen well below the very high bar set for agencies who hold private information."

Editorial standards