Gordon Campbell | Parliament TV | Parliament Today | Video | Questions Of the Day | Search

 


Labour alerts Justice Ministry to gaping security hole

Clare
CURRAN
Communications and IT Spokesperson

9 April 2013 MEDIA STATEMENT

Labour alerts Justice Ministry to gaping security hole in its website
Labour’s Information Technology spokesperson, Clare Curran, has today alerted the Ministry of Justice of a serious security flaw in its website.

The vulnerability leaves the personal and financial details of tens of thousands of New Zealanders potentially exposed, and might allow a malicious person to redirect payments to and from members of the public.

“This is a very serious matter. This is yet another gaping hole in the security of a major government site, with privacy and financial implications for a huge number of people,” says Clare Curran.

The security flaw allows access to Ministry of Justice passwords and databases, via a publicly accessible search engine on its website.

“The Ministry of Justice holds incredibly sensitive data – including information about the victims of crime. The Government has a fundamental duty to protect that information. This flaw, if exploited, could have a devastating effect on thousands of people.

“Earlier today I wrote to the Ministry of Justice, the Minister Judith Collins and the Privacy Commissioner alerting them to the issue, which must be addressed urgently.

“This matter was brought to my attention by a whistle-blower. That person has agreed to help the Ministry of Justice in any way they can to ensure the security flaw is fixed.

“This is the latest in a disturbingly long line of information technology security flaws and privacy breaches. There is clearly a major systemic problem with IT security.

“In the past two years more than 100,000 Kiwis have had their privacy breached by government agencies, including the ACC, MSD, IRD and EQC. This is an issue of public trust and confidence in government systems.

“The National Government needs to treat this matter with the seriousness it deserves, and stop hiding behind human error as an excuse for not protecting people’s private information,” says Clare Curran



Ministry of Justice security flaw Q and A

What is the nature of the security flaw?
The flaw allows access to what appears to be Ministry of Justice databases covering licences and fines. Those databases would likely include the personal details of many victims of crimes.

Access to the page containing passwords for the databases was found via a publicly accessible part of the Ministry of Justice website.

How serious is this vulnerability?
This is a serious flaw. The passwords were contained in a plain text file, and those passwords could be used to access incredibly sensitive information, and could potentially allow someone to alter fines payments and financial records.

The MoJ website is very vulnerable to anyone who is serious about trying to break into it. The MoJ website’s security is nowhere near an acceptable standard.

Potentially how many people’s information is at risk because of this problem?
That is not clear. But the databases in question could include information about people that the Courts have imposed a fine upon, and any victim of crime that is receiving reparations. At the very least the databases also hold the details of those with licences issued by the Ministry of Justice.

How did Clare Curran become aware of the issue?
Clare Curran was contacted by a concerned member of the public, who identified the vulnerability. That person contacted her in the hope that she could help expose the problem and get it fixed.

The whistle-blower did NOT access the Ministry databases, but did view the plain text file that contained the passwords. This confirmed the seriousness and extent of the security issue. This file has been passed on to the Ministry of Justice.

Clare Curran will not be publicly identifying her source, but they have agreed to help the Ministry of Justice to address this problem.


© Scoop Media

 
 
 
 
 
Parliament Headlines | Politics Headlines | Regional Headlines

"New Faces, Wise Heads": Andrew Little Announces New Labour Line Up

Labour Leader Andrew Little today announced a bold new caucus line up which brings forward new talent and draws on the party’s depth of experience.

“Labour has many new and highly capable MPs who will have the opportunity to prove their ability. At the same time our senior hands will be on deck to take the fight to the National-led Government and support our upcoming stars,” Andrew Little says.

“I am pleased to announce Annette King will be my deputy for the coming year. In recent weeks she has shown how crucial her wisdom and strength is to Labour. More>>

 

Parliament Today:

Passport Cancellation, Surveillance: Draft 'Foreign Fighters Legislation' Released

The final draft of the Countering Terrorist Fighters Legislation Bill contains proposals previously announced by Mr Key in a major national security speech earlier this month. More>>

ALSO:

Related

Joint Statement: Establishment Of NZ-China Strategic Partnership

At the invitation of Governor-General Lt Gen The Rt Hon Sir Jerry Mateparae and Prime Minister The Rt Hon John Key of New Zealand, President Xi Jinping of the People’s Republic of China made a state visit to New Zealand from 19 to 21 November 2014... More>>

ALSO:


Savings Targets: Health Procurement Plan Changes Direction

Next steps in implementing DHB shared services programme Health Minister Jonathan Coleman says the Government has agreed to explore a proposal put forward by DHBs to move implementation of the shared services programme to a DHB-owned vehicle. More>>

ALSO:

More on Health Policy:

Auckland Unification: 'No IT Cost Blowout' (Just More Expensive)

Following discussion of an update on Auckland Council’s Information Services Transformational Programme at today’s Finance and Performance Committee, council has released the report publicly. More>>

ALSO:

Other Expensive Things:

Gordon Campbell: On The SAS Role Against Islamic State, And Podemos

Only 25% of the US bombing runs are even managing to locate IS targets worth bombing. As the NYT explains at length, this underlines the need for better on-the-ground intelligence to direct the air campaign to where the bad guys have holed up... More>>

ALSO:

Public Service: Commission Calls For Answers On Handling Of CERA Harassment

EEO Commissioner Dr Jackie Blue is deeply concerned about the way in which the State Services Commission has handled sexual allegations made against CERA chief executive Roger Sutton this week and is calling for answers. More>>

ALSO:

Gordon Campbell:
On Andrew Little’s Victory

So Andrew Little has won the leadership – by the narrowest possible margin – from Grant Robertson, and has already been depicted by commentators as being simultaneously (a) the creature of the trade unions and (b) the most centrist of the four candidates, which would be an interesting trick to see someone try in a game of Twister. More>>

ALSO:

China President Wishlists: Greens Welcome Xi, But Human Rights Need To Be On Agenda

“President Xi has made some progress on climate change, but he must also lift the Chinese government’s game on human rights issues,” Green Party Co-leader Dr Russel Norman said... It is important that our Government continues to urge the Chinese government to show restraint and respect human rights in both Tibet and the Xinjiang province.” More>>

ALSO:

Get More From Scoop

 

LATEST HEADLINES

 
 
 
 
 
 
 
 
Parliament
Search Scoop  
 
 
Powered by Vodafone
NZ independent news