Entire MSD system 'may be compromised'

Updated at 1:27 pm on 16 October 2012

The man who uncovered the massive breach of security at the Ministry of Social Development says the whole department could be compromised.

The Ministry of Social Development has appointed Deloittes to investigate how private information was accessed through public computer kiosks in Work and Income offices.

IT analyst Ira Bailey says he used a public Work and Income kiosk while waiting for his bus last week, and it took just three minutes to get into the internal database and see the department's private information.

Blogger Keith Ng, who was also able to get sensitive data through a kiosk set up for job seekers, went public with the security breach.

Mr Bailey was arrested in relation to the Urewera raids in 2007. He is also an IT specialist.

He says that on part of the network, there was an information sharing file with departments from every part of the ministry.

"It seems unfixable really. You'd have to wipe everything and start from scratch, just because of the ease of access and the fact that it's been there for years. I would not be surprised at all if its totally compromised."

Mr Bailey contacted the Ministry when he found the breach and asked if it had any incentives for providing information, but he says they told him they did not.

He said he did not pursue the request, but instead told them about the problem.

Prime Minister John Key has criticised him for asking for money, but Mr Bailey says his motivation in letting people know was not about money.

"It was about the privacy breach of the most vulnerable in society and I knew that if I hadn't stopped them nothing would have changed."

The Ministry of Social Development has appointed Deloittes to investigate how private information was able to be accessed through public computer kiosks in Work and Income offices.

Questions raised about MSD network

Computer experts say the security breach raises questions about the security of the ministry's entire IT network.

Daniel Ayers, who heads a computer forensic investigation firm, questions how effective the review will be, saying the ministry needs to change the entire structure of its network rather than paper over the cracks.

"Everybody seems to think, naively, that if you do a security review, everything will be fine, and that's the answer to security concerns. And it's not true.

"What the ministry needs to be doing here is bringing in a network architect and a security architect to look at rebuilding their network properly."

Independent IT consultant Matthew Poole says as far as security breaches go, this is as bad as it gets - akin to leaving the door of a bank open so people can help themselves.

Mr Poole says a determination to drive down costs may be among the factors at play.

"Good computer security is not hard, but doing it well is not easy. The people that do it well also tend to be very expensive and they tend to be consultants - and if you're trying to cut back your IT budget the last thing you're going to spend money on is good quality security consultants."

The kiosks through which private information was able to be accessed were set up two years ago to allow Work and Income clients to search job listings, create CVs, apply for jobs and make appointments. They have now been closed.

Next story in National: All Whites beat Tahiti