Moved from onmylemon.co.uk

When security fails it’s all good to point and laugh but sometimes it really isn’t funny.

The MSD (Ministry of Social Development) in New Zealand set up a kiosk system to assist with job seeking at local centres around the country. Unfortunately they didn’t heed the security report produced by Dimension Data and left open a gaping hole into their enterprise network.

This hole was accessible by one of the oldest tricks in the book, Microsoft Word’s File > Open > Browse Network. This allowed people to get access to such gems as adoption papers, records of “at risk” children, plain-text passwords for accessing internal systems and invoices of intra-department payments.

While security breaches are common place now a days, to have this type of ineptitude within a government agency is shocking to say the least. Especially when the following seems to apply to all personal information in New Zealand:

“Section 6, Principle 5 of the Privacy Act 1993 states that the ministry must do ‘everything reasonably within the power of the agency’ to prevent unauthorised use of the private information they hold.”