Dimension Data NZ has emerged as the systems integrator behind the installation of kiosks at the centre of the New Zealand Ministry of Social Development (MSD) data breach scandal.
This morning it was revealed that members of the public could access confidential documents from kiosks installed at a New Zealand government welfare agency, leaving data from multiple agencies, corporations and citizens wide open.
MSD CEO Brendan Boyle said the kiosks had been built internally by the Ministry, and deployed with the help of systems integrator Dimension Data in 2010. Some 700 kiosks were implemented across the country.
Dimension Data was responsible for the security testing of the system, having conducted an audit on the kiosks earlier this year, but found no hole.
Dimension Data did not respond to request for comment by the time of publication.
The MSD said in a statement to CRN it had called in independent security experts to investigate the "unacceptable" security breach.
Boyle said the investigation would ascertain whether Dimension Data would need to be held to account.
"We have to undertake that review and that’s what we want to get to the bottom of – what happened, why did it happen and what can we learn from it? And were not at that stage yet."
As reported by CRN sister publication iTnews earlier today, blogger Keith Ng was able to gain access to highly sensitive information - including invoices and personal contact data - from self-service kiosks installed by the New Zealand Work and Income welfare agency.
The data included invoices issued to the Ministry that featured information about children in state care.
The self-service kiosks were installed by the New Zealand Work and Income welfare agency just over a year ago as part of a staff reduction program and to provide jobseekers internet access to apply for jobs online.
Today it has been revealed that the anonymous source that tipped off journalists about the vulnerability had approached the Ministry last week, seeking a financial reward.
iTnews spoke to the Wellington-based blogger, Keith Ng, who first broke the news about the massive privacy breach after being tipped off last Tuesday.
His source claimed to have been aware of the breach for a number of days and had also alerted the Ministry last week, seeking a financial reward.
Ng told iTnews he was unsure how well-known the issue was and whether it has already been exploited.
“It’s not something you would stumble upon [by accident],” Ng said.
"You need to sit there for around half an hour to work out what’s happening and to navigate the system," Ng said.
The kiosks, which run an old version of Windows, 2000 or XP, had some protections in place to prevent unauthorised access.
“You can’t click on things and can’t open Explorer (the Windows built-in file management tool),” Ng said.
However, the security restrictions were easily bypassed as the kiosks run a full version of Microsoft’s Office Productivity suite, including applications such as Excel and Word, Ng said.
“By using the Open File dialog, you had access to the applications’ file manager and could read files that way, as well as copy and move them,” Ng said.
Ng says the kiosks were internet-connected with browsers that provided access to webmail, meaning confidential files could have easily been sent in that manner. The kiosks also featured USB access.
Ng stressed that he no longer possesses that data, after being advised by the Privacy Commissioner’s office to delete it. He also pointed out that files visible on the network via the kiosks are invoices and not social welfare records.
Even so, the invoices contained a great amount of identifying details about welfare clients. It was not even necessary in many cases to view the invoices to glean details of welfare clients. The file names visible on the network were long and descriptive, he said.
Ng also revealed that because MSD was handling the payment of invoices for the Canterbury Earthquake Recovery Authority (CERA), invoices for that government agency were also visible via the kiosks on a shared network drive.
This may take the breach beyond an issue of personal privacy and into the realm of commercial confidentiality, should information relating to ministry contractors be leaked.
Fairfax News reported that the minister for earthquake recovery, Gerry Brownlee, has confirmed that CERA information was shared with the MSD and may have been available to people using the kiosks.
At a media conference in Wellington today, the cabinet minister for social development and employment, Paula Bennett, labelled the privacy breach as “completely and utterly unacceptable.”
“Significant mistakes were made,” Bennett said. A review of the MSD’s information systems will be held, with reference terms to be published as soon as possible.
Bennett apologised to the New Zealand public for the breach and said she was "mortified".
MSD CEO Boyle said at the same conference that the breach was "embarrassing” and that he would do everything to make sure it doesn’t happen again.
He also said that the MSD was alerted to the issue last week by an informant who told the ministry that he was working with a journalist.
The informant “was quite vague” and sought a reward for providing the information. Boyle said this was something the MSD would not offer.
Boyle said the ministry did not take action because the informant did not provide any further details.
The informant is thought to be the same person that tipped off Ng.
Ng told iTnews his source had access to the data as well, but assured him that it had been deleted. He wasnot aware of any one else with access to the data.
Boyle says the kiosks were for the public to use, and that no logins were required. He is checking if there is an audit trail that could reveal how much information has been leaked.
“I am grateful to Mr Ng for cooperating and keeping the information secure, handing it to the Privacy Commissioner," he said.
Boyle said that while it is "too soon to say", it is “certainly not my intention” to prosecute Ng for unauthorised computer access, which is illegal under NZ computer crimes legislation.
Work and Income has 11 regional offices and over 140 service centres nationwide.