HONG KONG - When Keith Ng, a New Zealand journalist and blogger, walked into a government employment office last week, he wasn't exactly sure what he might find. Most people were there to find a job. Mr. Ng was looking for something else.
He had been told there was a “giant vulnerability†in the Ministry of Social Development's computer system, an exposure that allowed anyone to gain access to thousands of personal and private files in the ministry's database.
Using a public computer terminal in the employment office, Mr. Ng quickly found invoices, documents and sensitive case files. He found the names of children under government care, the identities of those up for adoption and even the prescription medications they were taking. He also found the names of people who owed the ministry money, along with the name of a social services client who had attempted suicide.
“There are probably more outrageous things still on that server,†Mr. Ng wrote on his Public Address blog, “and there are probably other servers that I've completely missed.â€
The case was the latest in a string of governmental errors in the handling of private information. Last year, the country's national accident insurer inadvertently e-mailed information about more than 6,000 clients to a claimant. And last month, the government tax department accidentally released the personal details of nearly 30 customers.
Even the conservative blogger David Farrar, generally a supporter of the government, called Mr. Ng's story a “must read,†saying he “has acted entirely properly and ethically.â€
As a result of Mr. Ng's revelations, the ministry has called for an inquiry to be headed by a “security expert†to establish how so much private information happened to be available on an open, public computer.
The accounting giant KPMG regularly tested the safety of the ministry's systems, according to Brendan Boyle, the ministry's c hief executive. Initially the ministry said that KPMG had found no issues with its security, although it now admits that it knew about the flaw but failed to fix it.
In a media briefing, Social Development Minister Paula Bennett said that security around the database for vulnerable children was paramount, the Dominion Post newspaper reported.
“None of this is acceptable to me, nor should it be to the public either,†Ms. Bennett said, calling the breach “very serious†and “a very serious mistake.â€
Mr. Ng had originally been told about the holes in the ministry's computer system by an information technology administrator, Ira Bailey.
Mr. Ng said Mr. Bailey had not hacked into the system. He discovered the flaws in the system while simply killing time at the employment office, which has free Internet access.
“He plugged in his USB drive and it didn't appear,†Mr. Ng said, “so he had a poke around the system to find it - and found the giant vulnerability instead.â€
Mr. Bailey said he contacted the ministry to ask whether there was a reward for revealing security vulnerabilities in its systems, like those Google and Facebook offer. The ministry said it offered no such rewards.
That's when Mr. Bailey went to Mr. Ng, who is known in New Zealand for his work on public interest stories.
Mr. Ng said he did not pay Mr. Bailey for the information apart from two coffees and “a bite out of my pistachio pie,†he told Stuff, a news Web site.
Mr. Ng used a crowd-sourcing site to help pay for his work, a method he has used before. After his latest blog was posted, he said online that he would appreciate donations for the week he spent on the job.
He had hoped for 1,500 New Zealand dollars, or about $1,220. But as of Tuesday night more than 5,000 New Zealand dollars had been pledged - making him, at least for a day, probably the best-paid journalist in New Zealand.
No comments:
Post a Comment