Updated 3pm Social Development Minister Paula Bennett says experts have found the problem which caused the massive security breach in Work and Income kiosks. But despite this Bennett says, in a media statement, that the kiosks will remain closed "until the system can be guaranteed as secure.” She expects an independent investigation into Work and Income computer systems will “give the public assurances that security is robust and private information is safe.” “I’m deeply disappointed information which should have been secure has been accessed, the public has a right to expect more of a government agency,” says Bennett. “I’ve demanded answers as to how a journalist managed to gain access to files and I am appalled that it was possible, even with a level of skill.” “It is unacceptable for information of this nature to be accessible and it is absolutely vital the Ministry of Social Development fix this issue in the first instance and ensure there aren’t any other possible security gaps elsewhere.” “An independent investigation will look into all aspects of security, reaching back to when the kiosks used by the public were installed. This investigation will get underway immediately,” says Bennett. Bennett says she has sought assurances from MSD CEO Brendan Boyle that the department’s systems are secure. Boyle has been head of the department for a year, prior to that he was the government CIO and Department of Internal Affairs CEO. At a press conference this afternoon Boyle said the department could not be sure no other breaches had been made, though said the information Ng accessed was not client files.
Once it knew what information had been accessed MSD would decide whether any clients needed to be advised. "The buck always stops with the chief executive," Boyle said when asked who had responsibility.
Audit firm KPMG carried out regular checks and attacks on MSD's systems in a bid to highlight weak areas. They had not found any issues.
Social Development Minister Paula Bennett said she still had confidence in Boyle.
"I consider this very serious, as does the chief executive.
"To me it says a very significant mistake was made."
The Privacy Commissioner’s office is this afternoon in talks with the Ministry of Social Development about its own internal investigation into the WINZ kiosk security breach and how this will dovetail with the Commissioner’s investigation.
Assistant privacy commissioner Katrine Evans says the first priority has been to ensure the kiosks are closed and to recover from blogger Keith Ng the data he accessed and gain an assurance from him that he has not retained copies.
The Privacy Commissioner’s office has moved formally into “investigation mode” on the incident, Evans says. Information about the progress of an ongoing investigation is confidential and will normally not be released, unless it uncovers something that the public urgently needs to know about.
It does appear data could be accessed through the kiosks with “relative ease” and that this did not need an unusual amount of technical skill, Evans says. “We don’t at present know how wide-ranging the consequences of this incident might be” and therefore how long the investigation might take, she says.
Meanwhile a spokesman for Earthquake Recovery Minister Gerry Brownlee told stuff.co.nz that Canterbury Earthquake Recovery Authority (CERA) information shared with MSD may also have been available to people using the kiosks.
Officials were looking into what information was available and what may have been seen.The two organisations use the same information systems and share some information, the spokesman confirmed.
Security expert Daniel Ayers says WINZ kiosk security flaw may extend beyond Ministry of Social Development systems.
Yesterday blogger Keith Ng revealed on the Public Address site a major security flaw with computer kiosks used by the Ministry of Social Development at its WINZ offices. The kiosks were installed for WINZ clients to look for jobs and send out CVs, but an oversight in the computers' security meant clients could access potentially sensitive files across MSD's servers.
Ayers is calling for an official audit into government IT security by the State Services Commission.
"We need to ask the question could the same thing have gone wrong elsewhere in government?" says Ayers.
Ayers says public facing computers should not be able to view internal government networks, let alone access them. The fact that this might have been overlooked, especially following earlier security and privacy controversies in government including the ACC, is "boneheaded" says Ayers.
He points out that among the list of viewable servers pictured by Public Address, is one named "Ceroff01". Ayers says this could possibly be the Christchurch Earthquake Recovery Authority's (CERA) office server - which prompts the question, how extensive a security flaw was this?
(Screenshot of accesible folders on WINZ kiosk, by Keith Ng)
When CERA was first established in 2011 it initially occupied MSD's offices in Papanui. MSD has a shared IT services agreement with CERA, including the sharing of IT infrastructure. It has similar agreements with the Office of the Children's Commissioner, and the Families Commission.
Ayers, who is the founder and director of computer forensics company Elementary Solutions, says if CERA's network is indeed accessible by the the kiosk users it could also be accessible by WINZ staff - and vice versa.
"They're not compartmentalising their information," says Ayers. "It means a rogue staff member somewhere could maliciously copy or sell that information."
A spokesperson for CERA says he is unable to confirm or deny whether Ceroff01 is a CERA server. CERA says that information about private property owners is stored separately from the system viewable in the picture, and it is currently consulting with its IT personnel to see if it shares the same security flaw as MSD.
The spokesperson says CERA is unable to comment further until it has consulted with its IT staff.
- Additional reporting by Fairfax NZ