Computerworld

Court suppresses details of Ministry hack

Ministry of Health wants to avoid copycat attacks and protect sensitive information

The details of how project manager John Denison managed to hack into the Ministry of Health's computer systems and transfer $2.3 million of Ministry money to a bank account he set up under a false name have been suppressed.

The suppression order was made at the request of the Ministry by Judge Robert Kerr, who on October 15 sentenced Denison to three years' imprisonment.

Denison, an Australian, was hired to work on the claims processing side of the ministry's meningococcal B immunisation programme. His fraud attempt was detected when laboratories that were due to receive the cash complained about not being paid.

Denison was arrested on September 22 after being identified by health ministry healthPAC (payments and claims) general manager Jeannie Bathgate in videos from the ASB bank, where he'd set up the fake account.

Bathgate says the request to suppress how Denison accessed the system was made to prevent copycat actions and because it is "sensitive information".

Independent IT security consultant Nick FitzGerald, speaking in general terms and not in reference to the Denison case, says information about hacking attempts into computer systems could be beneficial if the hacking process was relatively simple and the systems were poorly designed and protected, in which case suppression may prevent copycat crimes.

However, "if there was a large degree of sophistication in what they did, it's unlikely there would be copycat crimes," as few would have the skills to attempt a similar break-in, FitzGerald says.

Bathgate says the Ministry brought in accounting and IT consultants in to check the systems. Westpac Bank was also involved because the Ministry uses its Deskbank banking system, she says.

She adds that the fact the missing money was detected so quickly and transactions reversed shows the ministry's financial reporting systems are robust, but on the question of why Denison was able to break in at all, responds "that an attempt was even made is an issue and we have moved, using internal and external expertise, to ensure that attempts of this kind will not be possible in the future."

The Ministry was required to provide a victim impact statement during the case and estimate the financial cost of the affair, which it put at $50–$80,000 in the statement.

Some "e-forensics" work is still being carried out, Bathgate says.

Denison also committed passport fraud by using a false passport as ID for the bank account.

The Accident Compensation Corporation, a previous employer, has looked into Denison's time there, spokesman Fraser Folster says. "Our investigation is substantially finalised and there has been no fraudulent activity detected," he says.

Denison worked at ACC from June 2003 to April 2004 as a project manager.