Keith Ng, the blogger who revealed the security lapse, posted in detail about how he managed to gain access to the network and accessed sensitive files which otherwise shouldn’t have been accessible through the publicly available kiosks. As of now, the Ministry has shut all kiosks while the investigations are going on.
Ng, in a bid to prove his point, grabbed files such as contractor invoices, medical information, debt collection records, fraud investigation records, etc. In his blog post, he noted, “I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible.”
“There are probably more outrageous things still on that server, and there probably other servers that I’ve completely missed” he added. Ng notes that he is intending to hand over all the documents to New Zealand’s Privacy Commissioner. Ng’s act has attracted criticism as many believe that he might have stepped over the line when he grabbed the files to prove his point. National Business Review has an article up discussing whether Ng went a bit too far to put himself at risk of jail under New Zealand’s Crimes Act?
In a press conference, after the revelations about the security lapse, New Zealand minister Paula Bennett apologized for the security breach. During the press conference Brendan Boyle, Ministry’s CEO, appreciated Keith for reporting this incident to the privacy commissioner and for keeping the data secure. The words of appreciation probably mean that Keith may not be prosecuted for what he did.
An inquiry has been announced by Boyle. He said, “I want to find out why the system was architected in a way that is insecure”. Boyle also revealed that sometime last week an unnamed individual contacted the Ministry asking for money in exchange of information about security issues in kiosks.