Reports of a potentially serious security breach in Ministry of Justice database systems are wrong, the ministry’s deputy secretary organisational development and support, Rose Percival says.
“There has been no privacy breach and no release of private information,” she says.
However, Opposition ICT spokesperson Clare Curran insists, after a second informant contacted her, that confidential files are open to intrusion.
“What has occurred,” Percival says of the first alleged breach, “is that someone has accessed an administrative file in a ministry website.
“This isn’t a member of the public inadvertently finding information. It appears to be about someone with IT skills deliberately trying to get into a ministry IT system – the site where people apply to become licensed security guards.”
A report alleging a hole which allowed a user to get across from a public sector of the Ministry’s website to access a password list was conveyed by the discoverer of the flaw to Curran, who is not disclosing the informant’s identity.
An initial impression that the databases covered licences and fines led Curran to suggest “those databases would likely include the personal details of many victims of crimes.” But this is not correct, Percival says.
The initial vulnerability brought into view a file of passwords in plain text, which it was believed could in turn be used to access the database. The whistleblower who informed Curran did not themselves try to access the database, but only viewed the password list.
Justice Minister Judith Collins says the passwords in the breached file could only have been used to access databases from within the ministry
“The ministry does not want anyone to be alarmed and is concerned that these claims are being made,” Percival says. “The ministry takes information security seriously and has extensive systems and multiple layers of security in place to ensure this.
“The system in question is isolated and protected by firewalls that control access to other ministry systems,” Percival says. “The ministry does not believe the person could have used the information in the administrative file to access other ministry systems or information.
“The ministry has identified how the person accessed the administrative file and has closed the affected website while it addresses this issue. It will be running again as soon as testing of the changes is complete.
“Unfortunately, no website, just like no building, is completely secure if people are determined to get into it,” Percival says.
However, Curran still insists there are serious holes in the ministry’s security. “A second person has this afternoon come forward and said that significant flaws in the ministry website allowed easy access to more than 63,000 documents via the Tenancy Tribunal section of the website,” she says.
“I have been told that these are basic security flaws not requiring a lot of computer programming knowledge.
“I note that parts of the website were shut down today after I notified the ministry of the security hole. That confirms that this is a serious security issue.”
Curran yesterday morning informed the ministry, Minister Collins and the Privacy Commissioner.
However, Ministry spokesman Nathan Green says Curran’s second breach allegation doesn’t stand up either. “The 63,000 documents Clare Curran is referring to in her second release are all publicly available Tenancy Tribunal decisions - the public is supposed to have access,” he says.
Following an access to confidential Ministry of Social Development information last year a review of the security of publicly accessible computer systems in government agencies was begun under the auspices of Government CIO Colin MacDonald.
“The GCIO’s report has been completed and the response to the report’s findings and recommendations are currently being finalised,” State Services Commission spokesman Tim Ingleton told Computerworld late last week. “The GCIO’s report and the response to it will be publicly released. The aim is for this to take place in May.”
Contacted again yesterday, Ingleton says he is not aware of any change to these plans since, in the light of the recent breaches.
Both the Ministry of Justice and the Earthquake Commission – from which sensitive information was erroneously sent attached to emails at least twice – will have been covered in the review.