Ng reveals massive MSD privacy breach

October 15th, 2012 at 7:55 am by David Farrar

This is a must read story. Keith Ng details how you can access pretty much the entire computer system through their public kiosks. We are talking sensitive details magnitudes worse than in the ACC breach. We’re talking:

  • fraud investigations
  • invoices including all contractors (including their media trainers who will now be much needed)
  • details of candidates for adoptions
  • children in CYFS care
  • medical records
  • Debts owed to MSD
  • Full names of kids in their High and Complex Needs section
  • Names of kids in CYFS residential care
  • Phone bills that reveal physical addresses of CYFS homes
  • Bills from pharmacies that deatils which children get which medications
  • An invoices from a community group for whanau support after a suicide, with the full name of the deceased

Keith says:

  • Public kiosks should not have been connected to the corporate network.
  • Servers that didn’t need to be globally accessible should not have been globally accessible, even if they only contained innocuous data.
  • Invoices, file logs and call logs, at a place like MSD, should not have been treated as innocuous data. 

That is a minimum. I’d expect invoices to be username and password accessible only. But the first point is the key one – the kiosks should not be linked to the corporate network.

It goes beyond saying that there must be a full inquiry into this. I have to say that my expectationis there should be staff resignations over this. This is not like ACC where the privacy breach was a mistake – a file accidentally attached to an e-mail. Mistakes will always happen. This appears to be a case of fundamentally flawed decisions – such as connecting the kiosks to the corporate network.

I don’t know how long it has been this way, but it must change.

Keith is a freelance journalist. If you want to help fund the excellent work he has done in this area, you can donate to it here. I have.

Talking on insecure data, you should also read how Whale managed to change the advertisements on The Standard through an insecure adserver. Also not a good look.

Tags: , ,

49 Responses to “Ng reveals massive MSD privacy breach”

  1. George Patton (347 comments) says:

    Agree. Paula Bennett must act fast and decisively, and demand the resignations of those who approved this decision. The IT providers should also be called out for such shameful provision of services.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  2. Pete George (22,754 comments) says:

    This has to be investigated and dealt with thoroughly before they go anywhere near a vulnerable child database.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  3. Jimmy Smits (246 comments) says:

    Paula Bennett must act fast and decisively.

    Don’t hold your breath.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  4. flipper (3,537 comments) says:

    Shut down? No, meltdown…..an MSD “China” syndrome (was that the name?) ?

    There are obvious limitations (even to a farmer’s wife with a standard 4 education, as the saying goes) as to what should be available at any public kiosk. It does not take a geek to provide the answer to that. Plain dumb.

    But just two further questions: 1)What was Mr Ng doing at the kiosk? & 2) Is he a “client” of MSD/WINZ?
    If so, may be WINZ should now hire him as a computer secuity spec. One “client” less! :)

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  5. Graeme Edgeler (3,262 comments) says:

    Also – this is much bigger than the Kiosks.

    Why does any Work and Income staff member with a computer have access to all this stuff? Why would a DPB caseworker even need to be able to access the files of DPB clients in other towns, let alone access the medical details of children in care homes?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  6. barry (1,317 comments) says:

    Jeez – when will everyone realise that if you have any computor network then it will always be open to full access.

    Either by stupidity by the network operators or by hackers. Its inevitable so I think everyone should get used to it.

    Anyway – these departments are financed by tax payer funds so why should the info all be so secret…….

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  7. wreck1080 (3,725 comments) says:

    Even once into the corporate network, I’d have expected employees only have access to information they require.

    It sounds like that may not be the case.

    It really sickens me. I’ve looked at government IT job advertisements and many require mini-Einsteins.

    Management positions require all sorts of certifications and vast levels of experience and competence.

    But, the truth is that a number of government IT managers and workers are incompetent to the level of criminality.

    I don’t get the vast gulf between what they request in workers and what they get.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  8. projectman (203 comments) says:

    Serious questions to be asked about system design, and particularly pre-release testing. If private consultancy organisations were involved they, too, should start worrying about the gun to be pointed at their head.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  9. wreck1080 (3,725 comments) says:

    barry — you are wrong. It is easy enough to control access within a network.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  10. Keeping Stock (10,092 comments) says:

    Keith Ng has played this very responsibly; publish a blog-post late on a Sunday night (10pm), having given MSD and the Privacy Commissioner a heads-up, and without revealing any personal information himself. Others may not have been so responsible.

    This is a serious breach, and Paula Bennett’s response as well as that of the MSD CEO will be watched with much interest.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  11. toad (3,669 comments) says:

    @ Keeping Stock

    This is a serious breach, and Paula Bennett’s response as well as that of the MSD CEO will be watched with much interest.

    And the MSD CEO’s immediate previous job was – wait for it – Government Chief Information Officer.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  12. Pete George (22,754 comments) says:

    And this could get worse:

    This morning a beneficiary advocate has claimed the Ministry of Social Development was made aware of the flaw in its computer servers more than a year ago.

    http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10840564

    Other similar claims have been surfacing. An awful look could turn horrendous.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  13. tristanb (1,133 comments) says:

    I was expecting this to be some sort of complicated buffer overflow tactic, or something else I barely understand.

    But it was as simple as going to the open dialog in Word, and choosing the unsecured folders. This problem wouldn’t even be very hard to fix. There will be someone responsible for setting up the kiosks. This person needs to be held to account.

    I’d also be surprised if no-one else has worked this out yet. I know many clients aren’t the most computer savvy, but all it takes is one unemployed nerd playing around who is a bit less ethical than Ng, and he could stick the whole database onto Apple Cloud.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  14. berend (1,631 comments) says:

    And please all remember: this is the same government that wants to put 30,000 kids in a database.

    OK National apologisers, say after me: but this time we will get it right and take all necessary precautions.

    Yep, sure you will. Government is not the solution, it’s the problem.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  15. flipper (3,537 comments) says:

    Keeping and Toad… Good points, both.

    The ACC was clearly (but preventable) human error. This MSD/WINZ case appears to be negligence. If there is any truth to the “year ago” allegations, who new what and when ?
    If MSD supervisory staff knew – good riddance! If the CEO (chief clerk) or SSC or Paula knew …. “Good night pussycat(s)”.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  16. barry (1,317 comments) says:

    Wreck1080 – I think the two recent cases (ACC and this one) prove beyond any sort of doubt that there is no such thing as absolute barriers. Its probable that in both cases it was stupidity – but if a hacker wants to they have even been able to get into such ‘impossible’ places as the CIA .
    Although one wonders why anyone would want to get into place like the ACC or winz – the fact is that there is no such thing as a gauranteed safe database.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  17. peterwn (3,144 comments) says:

    I suppose David Shearer will start fussing about when and what John Key knew about this. Would be interesting to know when the key decisions which led to this situation were taken.

    This stuff is hardly IT rocket science. It also raises the issue of whether there is adequate control and audit trails on staff access to information. If there were, then hopefully audit trails may be available for personal info accessed via public kiosks and this would indicate what breaches actually occurred and which clients were affected. It was probably very few, since the whistle seemed to have been blown before the leak became generally known.

    There has been another long term but lesser known problem with MSD systems, manuals, etc – they have been out of sync with the Social Security Act and associated regulations, etc. Presumably they are being brought into sync as discrepencies are found although I do not know what the current situation is. This means staff may refuse a benefit or supplement which is available under law.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  18. campit (458 comments) says:

    I hope MSD don’t shoot the messenger here – in fact I think they should be paying Keith for a fairly comprehensive audit of accessible data. Seriously. I wonder how much MSD / WINZ have payed external consultants over the years for IT audits?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  19. dc (173 comments) says:

    Horrendous. The CIO should resign or be sacked, but I guarantee they won’t be.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  20. fish_boy (152 comments) says:

    “…Horrendous. The CIO should resign or be sacked, but I guarantee they won’t be…”

    Actually, the scale of this privacy breach is so bad that I would expect Paula Bennett to resign and spend at least the next six-nine months on the naughty step of the back benches. Remember these kiosks were introduced by this minister in 2011 as a cost cutting initiative. The conception and implementation of these kiosks occured exclusively on this ministers watch.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  21. Hamnida (905 comments) says:

    Bye bye Paula.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  22. dave (985 comments) says:

    Graeme,

    MSD staff have access to records nation wide. One reason a DPB case manager in Wellington has access to a similar case in Auckland is because so many people move and even if they tell MSD, the case is not often transferred to the correct branch on SWIFTT or the physical file gets lost. So that Wellington person can transfer it from Auckland to the correct branch. However, it is fair to say that Keith Ng could probably navigate the system better than most case managers.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  23. Keeping Stock (10,092 comments) says:

    @ peterwn; actually I have it on VERY good authority that John Key made a joke to MSD IT staff about Kim Dotcom, and that David Shearer and Fran Mold are taking Patrick Gower and Duncan Garner out to lunch today to plan the lead item for 3News tonight. David and Fran claim to have seen the video…

    Oh, wait…..

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  24. Bevan (3,965 comments) says:

    Bye bye Paula.

    Nice wet dream you’ve got going there. Hate to break your bubble, but it is more likely the organisations IT staff will be brushing up their CV’s this morning. Mind you I dont know why – who the fuck would hire them now? Bastards dont even utilise basic folder security.

    On a side note, wonder how much the PSA will be willing to die in a ditch for the tech staff over this?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  25. Nookin (3,033 comments) says:

    “Bye bye Paula.”

    If she has known about this and has done nothing or if she went ahead with a programme (including costs cutting) having been warned that it would compromise security then you may be right.

    If an IT contractor stuffed up, then you are being a prat.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  26. wreck1080 (3,725 comments) says:

    @barry — there is no such thing as 100% security but MSD falls way short .

    At minimum I’d expect sensitive files and data to be password encrypted within the intranet . And employees can only access data within their job scope.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  27. Mark (1,360 comments) says:

    This has the potential to make the ACC issues look trivial.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  28. wf (371 comments) says:

    Privacy? The best way to keep stuff private is to keep away from government agencies as much as possible, even I know that.

    As Barry said, it’s all funded by the taxpayer, so what’s the secret? Let it all out for public scrutiny, I say.

    Personally I spent many years working in a hospital, trying to access reports from the lab. It was hopeless, my password was most often refused, or the system choked, much easier to ring and ask a real person.

    It will take years to get an integrated system working – you’ve only got to look at how hard it was to get bus tickets sorted -

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  29. RRM (9,427 comments) says:

    So… we all “know” that the civil service is “too big” and “employs too many people” for what it needs to do…

    So we make downsizing the civil service our number one flagship policy.

    (RAAR! Too many civil servants! Cut their pay, double their hours! RAAR!)

    Let all this run for a few years –

    And now it turns out that basic things Govt departments are doing are FUCKED in a big way… fancy that huh?

    Or is this all solely fault of their the I.T. geeks, or some other scapegoat?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  30. gazzmaniac (2,317 comments) says:

    It’s not hard to put passwords on network folders RRM. A 14 year old can do it.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  31. davidp (3,540 comments) says:

    RRM>And now it turns out that basic things Govt departments are doing are FUCKED in a big way… fancy that huh?

    The real issue here isn’t that the kiosk-using public could access sensitive data, but that every MSD employee and contractor could (presumably) access sensitive data. Sensitive data needs to be protected and only the minimum subset of people who require access should be given access. That access must be logged. However, government agencies (or at least the ones I’ve had involvement with) seem to take the view that all their staff are trustworthy and internal controls aren’t required. That is a cultural issue rather than a budgetary one. I’ve worked with one agency that handles personal information, had a huge over-manned IT group, and still had their head in the sand when it came to internal controls and staff trust.

    It is hard to retrofit internal controls and access management in to existing business systems. Both from the technology point of view, and also the political as you essentially tell some staff that they will no longer have access to sensitive data. There is the potential for problems if the changes you make to add internal controls break anything. I think because of this, CIOs tend to stay clear. I think maybe the solution is that every agency should have a senior CEO-reporting manager responsible for security and privacy and they should drive improvements, rather than someone in IT. The CIO would report to the risk and privacy manager on matters of business system security and privacy. Then make the CEO ultimately responsible for the security of their business systems, just like they’re legally responsible for the accounts and other reporting matters.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  32. OECD rank 22 kiwi (2,810 comments) says:

    Keith is a freelance journalist. If you want to help fund…

    I don’t fund socialist losers voluntarily.

    Cheers.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  33. Mark (1,360 comments) says:

    It will be interesting to watch this develop politically. How does National react and deal with this issue now it is out there and can Labour make it hurt for National. I am not convinced that Labour has the fire-power to really take full toll on National for this. It is going to stretch Bennett in terms of how tough she is going to be here. One expects that there will be much gnashing of teeth at the Cabinet table.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  34. Bevan (3,965 comments) says:

    Or is this all solely fault of their the I.T. geeks, or some other scapegoat?

    Nope, its from the low level technician all the way up to the CIO. Also the Project Manager responsible for the implementation should never be allowed to work in the industry ever again.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  35. orewa1 (428 comments) says:

    The governmernt cannot duck this one. Right across the public service we have seen cost-cutting taken to ludicrous extremes. IT staff, including CIOs, have been in the thick of this. Senior people are massively under resourced. They can only do the best they can with half the resources they need, and hope for the best.

    It is time public sector CEOs stood up to their political masters and demanded resource where needed.

    That said, role-based access is a fundamental element of any IT system. Someone – probably several people – have stuffed up to a catastrophic extent. The Chief Executive and Minister both have to be held to account for this, as well as the unfortunate worker/s who have tried to do too much with too little.

    By far the worst of the major security breakdowns we have seen in the past few months.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  36. rangitoto (193 comments) says:

    This is nothing to do with resources. It is gross incompetence of behalf of the system designer or implementer. If the later then whoever was overseeing the project is also incompetent.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  37. davidp (3,540 comments) says:

    rangitoto>This is nothing to do with resources. It is gross incompetence of behalf of the system designer or implementer.

    Exactly. The kiosks needed to be implemented in a non-corporate network segment. That doesn’t require extra staff. It requires a paragraph in an architecture document and a change on a Visio diagram.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  38. ross69 (3,652 comments) says:

    > This is nothing to do with resources.

    Oh that’s a relief, so all will be fixed in 5 minutes at no cost.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  39. labrator (1,745 comments) says:

    Wouldn’t surprise me if there is loads of role based authentication but seeing as they locked down the file open dialogs that someone decided that running the kiosk as a privileged user would do no harm. I’ve seen people make dumber decisions under the pressure to get a project “across the line”. Yes it shouldn’t have it happened but I await the outcome of the inquiry to find out the finer details. Low level incompetence wouldn’t surprise me.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  40. Mark (1,360 comments) says:

    peterwn (1,821) Says:
    October 15th, 2012 at 9:22 am
    I suppose David Shearer will start fussing about when and what John Key knew about this. Would be interesting to know when the key decisions which led to this situation were taken.

    Shearer and Adhern should be digging to find out whether Bennett or Key new about this before it was exposed as it goes to ministerial credibility. In the mean time Bennett needs to find the responsible person(s) and ensure they are not around to enable them to make the same error again.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  41. cha (3,779 comments) says:

    Was Huawei involved?.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  42. SHG (360 comments) says:

    Remember these kiosks were introduced by this minister in 2011 as a cost cutting initiative. The conception and implementation of these kiosks occured exclusively on this ministers watch.

    The kiosks are just a symptom of the problem, not the problem itself. The problem is that the MSD has no information security.

    Fine, the kiosks have been disabled, great. But every computer at the MSD has access to this info, not just the kiosks. There are over 200 physical MSD offices in NZ. Multiply that by the number of computers at each office, then by the number of people with access to those computers, then by the number of people with access to those people and you’ve got a fucking infopocalypse of sensitive data.

    I wonder if any of those MSD offices have open Wifi APs?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  43. slijmbal (1,210 comments) says:

    labrator’s explanation is the most likely. There are a number of ways that a sophisticated security can be bypassed by a poor decision by a single systems person. The environment may well have been very secure and all of this got undone by one silly act. Another possibility is that it was tested using a privileged account and got promoted with the equivalent account in to production.

    It does seem a naive approach to disable some specific Windows commands and expect that to be sufficient protection if that is what someone has done. If we then add that to use of what looks like a highly privileged account then that is silly.

    Even the most incompetent IT in government puts in some levels of security based on the ‘don’t get head above parapet or it will get shot’ principal. In fact the ones I have dealt with (quite a few) often tie down the information so much that you cannot actually get at what you need. They would rather not be found out accidentally making sensitive data available than allowing employees to do their job properly.

    I would like to know whether the systems management is outsourced as I have seen this be the cause of silly undoing of security. The vendors underbid to get the business and use a mix of on and offshore staff with the huge possibilities of communication snafus. I have seen this cause disabling of security by systems people who have no real understanding of the real needs.

    I have also seen government support staff screw up systems stuff on many an occasion. Normal response was for them to blame me or my team and then make us prove they screwed up and then fix it. I learnt not to mind this once we had agreement we would bill all of these occasions. A new revenue stream and the groups who were my customers in the government departments saw us as the saviours and learnt to dislike their own IT even more.

    Mind you local government support staff seem to be better than getting offshore cheapo labour.

    There is a high likelihood that ironically the staff can see much less than and what is much more appropriate for their role than the kiosk users. So those jumping to the conclusion is that there is no security and it is all open slather that is much less likely. Could still happen but I believe unlikely.

    On the systems security check – 2 likely options – it was secure and someone did something stupid after the vendor checked or they were similarly naive. Any decent security vendor would be unlikely to miss such a hole.

    On those saying it shows all the databases are accessible – NO NO NO – it means that the file system was accessible – so all the documents. Ng would not have been able to view the telephone logs – and the database cannot be accessed from the file system.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  44. slijmbal (1,210 comments) says:

    Just saw on the news Brendan Boyle is the CEO. Worked with him some years ago on a government IT project. He was actually pretty competent. This could get really embarrassing as he was the government CIO prior to taking up the CEO role.

    My guess is he has lost his job.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  45. scrubone (3,044 comments) says:

    Oh that’s a relief, so all will be fixed in 5 minutes at no cost.

    It might have taken a little more work and cost to implement this on a seperate system, but not significantly more. But of course having put the resources in to build it, they now need to go back through that entire process.

    Reading through some of the comments here, I think some people have an unrealistic idea of how security should operate but there is no way a public system like these kiosks should have any access whatsoever to any network resources.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  46. nark (13 comments) says:

    There’s been no evidence disclosed that every MSD user & computer has access to that data

    For all we know its “just” that the user credentials they used on the kiosks have access.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  47. nark (13 comments) says:

    Designed and run by inhouse MSD IT

    Penetration Testing performed by Dimension Data as already disclosed elsewhere

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  48. Mark (1,360 comments) says:

    Keith Ng’s website article on this is worth a read. The extent of the weakness in systems security is simply mind boggling. This is not a simple oversight issue.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  49. hj (6,342 comments) says:

    Wikipedia:
    A moral economy, in one interpretation, is an economy that is based on goodness, fairness, and justice. Such an economy is generally only stable in small, closely knit communities, where the principles of mutuality — i.e. “I’ll scratch your back if you’ll scratch mine” — operate to avoid the free rider problem. *Where economic transactions arise between strangers who cannot be informally sanctioned by a social network*, the free rider problem lacks a solution and a moral economy becomes harder to maintain.

    *isn’t that an argument for less privacy?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote

Leave a Reply

You must be logged in to post a comment.