The Ministry of Social Development shut down internet kiosks around the country and launched a ministry investigation last night, after blogger Keith Ng reported he was able to access thousands of files on the agency's servers from the kiosks in a Wellington WINZ office.
Ng says he used a WINZ kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.
However, Kay Brereton, from Beneficiary Advocacy Federation, this morning told Radio New Zealand the discovery was nothing new.
She said she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.
"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she said.
"We came out finding out ... that the people who were using the kiosks could actually get into Work and Income's information.
"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."
MSD deputy chief executive Marc Warner last night issued a statement saying: "a security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after".
He said the ministry had been alerted to the latest security flaw late yesterday and took immediate steps to secure the system.
"MSD is very concerned about this and an urgent investigation is underway."
Ng had stated he accessed client information through WINZ kiosks at two Wellington sites, Warner said.
"We have closed all kiosks in all sites across the country to ensure no further information can be accessed.
"They will not be reopened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.
"We understand the maintenance of public confidence in our ability to protect people's information is vital.
"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.
Ng had given an assurance that he would pass all the information to the Privacy Commissioner this morning and had guaranteed that none of the information would be given to anyone else or placed in the public arena, Warner said.
In comments on Ng’s blog post, Thomas Beagle from the NZ Council for Civil Liberties points out that it is possible Ng may face legal action. Beagle wrote that under the Crimes Act s252 (1), "Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system." Political reaction On the TVNZ Breakfast programme this morning Prime Minister John Key said Social Development Minister Paula Bennett is very concerned about the breach. "We need to make sure that those systems are robust," Key said. "People are increasingly accessing information from the government electronically." Labour's social development spokeswoman Jacinda Ardern this morning described the breach as "staggering".
Of particular concern was the information accessed included details of children in a high and complex needs unit and children in Child, Youth and Family safe houses, she said.
"This is an appalling breach of privacy and comes on top of serious security lapses at ACC and the IRD."
The breach also exposed a massive weakness with a proposal in Social Development Minister Paula Bennett's White Paper on Vulnerable Children, launched last week, to set up a database of at risk children, she said.
"It compromises the entire premise. It raises serious doubts about the Department’s ability to properly protect the highly sensitive information it holds, and while the compromised data is now in the hands of the Privacy Commissioner, the damage has been done."