Story image

Did security flaw leave 63,000 Govt docs vulnerable?

Tue 16 Apr 2013
FYI, this story is more than a year old

The Ministry of Justice is alleged to have suffered a serious website security flaw last week, with the Labour Party claiming up to 63,000 documents may have been publicly accessed.

In an attempt to escalate the situation, the opposition said the vulnerability left the personal and financial details of tens of thousands of New Zealanders potentially exposed, potentially allowing a malicious person to redirect payments to and from members of the public.

“This is a very serious matter," said Clare Curran, Labour's Information Technology spokesperson.

"This is yet another gaping hole in the security of a major government site, with privacy and financial implications for a huge number of people."

Yet the reports of a breach were dismissed by government officials as wrong, throwing Curran's claims into question.

"There has been no privacy breach and no release of private information," said Rose Percival, the ministry's deputy secretary organisational development and support.

Undeterred however, Curran said the security flaw is alleged to have allowed access to Ministry of Justice passwords and databases, via a publicly accessible search engine on its website.

“The Ministry of Justice holds incredibly sensitive data – including information about the victims of crime.

"The Government has a fundamental duty to protect that information.

"This flaw, if exploited, could have a devastating effect on thousands of people."

Curran claims Labour alerted the Ministry of Justice at 9:30am on April 9 about the breach, yet within three hours made the information public in order to give the Ministry the time to identify the problem and take any immediate action necessary.

“This is the latest in a disturbingly long line of information technology security flaws and privacy breaches," said Curran, who was alerted to the breach by a whistle-blower.

"There is clearly a major systemic problem with IT security."

Despite alerting government officials, Curran accused minister Judith Collins of downplaying the issue, operating primarily via the Tenancy Tribunal section of the website.

“The Minister is attempting to divert attention from the seriousness of the gaping hole in the website’s security by claiming it was a malicious hack," Curran said.

"Yet the whistle-blower has offered to explain what happened to the Ministry and help it address the problem. Those are not the actions of a malicious hacker.

“In the past two years more than 100,000 Kiwis have had their privacy breached by government agencies, including the ACC, MSD, IRD and EQC.

“The National Government needs to treat this matter with the seriousness it deserves, and stop hiding behind human error as an excuse for not protecting people’s private information."

Should the New Zealand Government be better equipped to deal with security breaches? Or is it a case of scare-mongering by the Labour Party? Tell us your thoughts below

Recent stories
More stories