5 Feb 2016

Ministry investigates WINZ privacy breach

10:53 am on 5 February 2016

The Department of Internal Affairs and the Ministry of Social Development are investigating a privacy breach after a Work and Income client accessed someone else's information.

Yesterday, the man told RNZ he was trying to access his WINZ account through government's RealMe identity verification system and got another client's details.

The man - who wished to be known only as Tom - said he had access to personal details such as the other user's phone number and email address, and had the ability to go in and change the details. He was unable to access his own account.

The Ministry of Social Development said it had a team urgently working on how the mix-up happened.

The department's deputy chief executive Maria Robertson said there were more than a million successful log-ins every month to the WINZ service.

"There's no systemic issue here. What appears to be the problem - although the Ministry of Social Development is still looking into this - is somewhere down the track inside their systems, a person's information has been linked to the wrong person."

The ministry said it was an isolated problem, but another listener said he had a similar problem.

Andy Linton filed a superannuation form with WINZ electronically after logging on the site using RealMe, but when he went to be interviewed it couldn't be located.

Eventually, he said, it was found attached to someone else's account.

"When you fill in the super form you have to give your date of birth, and you have to give other details like when I became a citizen and you've got to give a whole bunch of details of when you arrived in New Zealand - stuff that I don't really want other people to see if it's not necessary.

"And that was attached to someone else's identity."

The department said it took people's privacy extremely seriously and had robust systems in place to protect client information.

'Serious breach of privacy'

However, cyber security expert David Ayers said it was not the first time WINZ had had one of its systems breached and that was cause for concern.

The incident was a serious breach of privacy, he said.

"We should be worried about the privacy breaches we're seeing in government and in particular, WINZ, as it was only a couple years ago that WINZ had another breach where [someone] walked into an office and used the kiosk to access private files...here we are with WINZ having further problems again."

The blame for the breach may not lie with its RealMe identity verification system, he said.

"It's less likely to be an issue with RealMe versus either a programming error in the WINZ website or some technological issues with what's known as internet caching, which is used to speed up the internet."

It was perfectly possible to design IT systems where such privacy breaches didn't happen, he said.

Get the new RNZ app

for ad-free news and current affairs