Massive data leak in New Zealand government servers (opens in new tab)

Going that extra mile was necessary to make this a big story instead of having it brushed under the carpet. It seems that the leak was known about as much as a year ago (http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&obj...), MSD were informed, but nothing was done because there was no media firestorm. By showing what was exposed, Keith Ng made the horrific impact of the leak understandable to the public and media and greatly increased the likelihood that something will get done.

I think he has done this exactly right.

This department clearly doesn't value security (multiple levels of deep failure) and the only way to make it important is political pressure via the public and the media.

Only by revealing the breadth of the failure, and doing so publically, could any effective change occur.

It is obvious they could (and did) shut down or secure the kiosks quickly.

If he took a week to consult legal, decide best course of action, make up his mind on risking his neck, or WHATEVER, that is his right and fine by me.

Armchair criticism is easy. Kieth has taken a ballsy action as an individual and he gets my respect.

He did a public service. What he did is (according to lawyers) not illegal. See http://www.nbr.co.nz/article/keith-ng-facing-possible-two-ye....

I thought same thing, but read more and realized it was open for awhile, and no one seem to care. It took the breath of his examples to make everyone shock enough to notice.

The only thing that should be illegal is the way all that information was not secured.

In addition, the author claimed he spent a week preparing the story. Yet he only contacted the Acting Privacy Commissioner yesterday. He blog was published before the government had a chance to fix the issue. I find this irresponsible.

You are absolutely right and it will even get worse. The govs log your personal data including fingerprints etc. I'm real skeptical that they are able to store this sensitive data securely, but I guess I'm the exception. The most live after the slogan "I'm a honest citizen, I have nothing to hide".

But but but, I thought building a central health-care database is such a brilliant idea and saves so much money!11

I think private databases will be the biggest risk over time. Private entities share private formation across national boundaries.

Currently: facebook, telecommunication companies, Skype, gmail. Scary: Data aggregation services. Near future: face and iris databases.

Why would a public kiosk even be running a consumer OS? They should be running a bare-bones OS with EVERYTHING not necessary to perform their intended functions removed. AND be on their own network.

Why are power plant (and other similar) control systems in any way accessible by the internet?

Why are credit-card processor internal networks in any way accessible by the internet?

Answer: because it's what happens by default, and people are too lazy or too ignorant to configure appropriate safeguards.

Because we're living in an alternate universe where there's no such thing as VLANs?

Sadly you can imagine less honest user would of found this and not alerted anybody of athourity. The level of security being ustilised is at a level that how many years was it like this as it has been that secure since then sadly.

Many people also may have less respectful governments with regards to being alerted to this and could even end up charging you. Some even have laws against even checking if its is secure as it would be deemed hacking a govermental server. When you have that type of law then you can only imagine at the security in some of the offices. You hope they have good security staff and pentesters. This is clearly not the case with this oversight. It is beyond schoolboy error level even of security.

Still least in other countries they just leave all that data on a USB stick, so in that it is had to guage how much data leaked in comparision to others. But the opertunity is large and covers areas that can and could of caused alot of damage.

They seem to have been warned multiple times, here is someone saying they warned the department a year ago. http://m.nzherald.co.nz/nz/news/article.cfm?c_id=1&objec...

It's actually quite scary to read the comments on TFA and see that indeed, people did know about this breach.

That kind of thing only happens in New Zealand when the USA is threatening trade sanctions. In this case, not so much.

That was my first thought, sadly many other governments would never be as close to open as this in all compass directions of the World. So kudos to the NZ goverment upon that aspect.

Agreed. In fact I would go as far to say that All systems should be deliberately connected to a network physically accessible from the outside world. That way you cannot hide behind the assumption that you have not inadvertently connected.

All security layers have to be based on what you are allowed to do. Cutting abilities in a non-privilege-restriction manner is just asking for people to figure out another way to get through.

There is no excuse for some of the security errors we have seen. Especially not government incompetence being equal or greater.

It is true that startups should not concentrate on perfect security, as supplying something the buyers want should be absolute priority number one, but even then there's no reason to not at least get the basics right if there is any kind of sensitive data involved.