New Zealand government computers leak sensitive data
A blogger has found that they are able to view what should be confidential information from public access kiosk computers at New Zealand's Ministry of Social Development (MSD). The blogger, Keith Ng, reports how, after being tipped off about the lax security on the MSD's publicly accessible systems, he was able to access several thousand invoices from several government departments – a clear example of why publicly accessible systems should be isolated from confidential production systems rather than relying on "kiosk" modes. The invoices included the full names and other details of patients, adoption candidates and foster parents. He was also able to access information of children living in care and protection homes.
Keith Ng decided to visit a Work and Income New Zealand (WINZ) office himself and documented the problem. WINZ, a department of the MSD, provides "locked-down" kiosk computers for job applicants to search for jobs online and send in CVs to potential employers. Ng discovered that by accessing the Open File dialogue in Microsoft Office, he could gain access to many unsecured computers on the MSD's network and access files that were not explicitly secured. This included items such as file server logs which were recording the names of clients and the corresponding case numbers as well as all of the MSD's invoices for the current year. The blogger had access to invoices with all significant details for contractors to the ministry, doctors (including names of patients, adoption candidates and foster parents), debt collection information (including full names and money owed) and details from the ministry's fraud investigation service. Additionally, Ng had access to invoices from court services provided on behalf of the MSD.
Access to the invoices provided anyone in a WINZ office with information on the care and protection homes set up by the MSD to provide secure places for children and young adults to live when their security or the security of persons around them is at risk. The invoices included names, dates and costs for residential arrangements of these children and young adults. Information on persons placed in an inter-agency "intensive interventions" program, aimed at providing care for children with the most demanding needs, was also leaked. One group contracted by the MSD had invoiced for providing support to a person after a suicide attempt.
With minimal effort, the blogger was able to download approximately 7,000 emails; he estimates this to be about a quarter of the accessible data. Aside from the aforementioned information, he apparently also had access to configuration files of virtual machines deployed on the network. After handing the data over to the Acting Privacy Commissioner, the blogger was contacted by the Ministry of Social Development which said that it will take the affected kiosk machines offline until the problem is resolved.