Systemic privacy breaches

Written By: - Date published: 9:35 am, April 10th, 2013 - 63 comments
Categories: accountability, public services - Tags: , ,

This government is leaking data and documents at a truly unbelievable rate.

There were three cases yesterday alone:

• The leak of the Kitteridge report to Farifax Media (who had copies? who leaked it and why?).

• Yet another Novopay stuff-up, 1600 schools are sent private details of teachers at other schools. 3400 teachers are affected, 40 particularly so.

• Labour’s Clare Curran revealed that 63000 Ministry of Justice documents were left in plain view on a website – data that include passwords in plain text. Curran writes: “I have been told that these are basic security flaws not requiring a lot of computer programming knowledge”.

But wait – there’s more:

• the Ministry of Justice case is of course very similar to the massive amateur hour WINZ security breach revealed by Public Address blogger Keith Ng last year

• the ACC breach in 2011 where details of 6000 clients were sent to Bronwyn Pullar (the resulting fuss resulted in the resignations of ACC minister Nick Smith, ACC chair John Judge, two directors and chief executive Ralph Stewart)

• let’s not forget Paula Bennet’s vindictive release of the private details of two welfare beneficiaries that she took a dislike to

• the EQC emailing confidential details of 98000 claims to a blogger / advocate

• the EQC leak of 22000 names and $23 Million worth of financial information (an incident which resulted in a bizarre complete shutdown of EQC’s email systems for days)

• any number of incidents at WINZ,

• an incident involving the Ministry of Health

• and the Ministry of Education

• and Immigration New Zealand

• and the Ministry for the Environment

• and so on and so on – who knows how many I have missed – add them in comments.

When pressed on this last month John Key tried to downplay the incidents:

Key: Email gaffes not systemic

Mr Key yesterday said he didn’t believe the latest breach suggested any systemic private data handling issues across the public sector.

But the breaches have kept coming, and systemic is now clearly what they are. In fact, yesterday Bill English had this to say:

Govt cannot guarantee public information is protected – English

The Government cannot guarantee all information it holds about members of the public is safe, Finance Minister Bill English has admitted. English revealed the worrying state of Government department databases in the wake of new security breach allegations.

Perhaps more public sector job cuts will fix the problems.

63 comments on “Systemic privacy breaches ”

  1. Colonial Viper 2

    Get rid of that back office staff and eliminate procedures, processes and regulations, what do they do anyways.

  2. Private Baldrick 3

    The solution is obvious – ban all computers and only communicate via turnip.

  3. BM 4

    Just highlights how incompetent the public service is.
    Get rid of the lot of them, useless.

    I’m surprised you’re so keen to put the boot in and point out their incompetence.
    Are you an Act member?

    • Pascal's bookie 4.1

      I strongly suggest you campaign on such a policy.

    • Arfamo 4.2

      Yeah, right. Bring in people like the directors of all the failed finance companies and mainzeal. They’ll fix it. Cuts to the public service and moronic internal ructions caused by inept, clueless government-friendly CEOs with directions from above that have disastrous effects are the cause of these problems. The dumbing down of the public service seems to be deliberate Natsy policy. These are all the hallmarks of departments in chaos.

    • Draco T Bastard 4.3

      Just highlights how incompetent the public service is.

      Wrong, it shows how incompetent the private sector is as these systems were probably put in place by the private sector.

      I’m surprised you’re so keen to put the boot in and point out their incompetence.

      Pointing out that things are going wrong is a duty we all share. The problem really comes down to the solution proposed. We’ve tried cutting government budgets and using the private sector to put in place the needed government services and what we now have is failing government service.

      This government and idiots like you think that we should keep cutting the budgets and getting the private sector to do the governments job. Following this advice what we’ll get is an ever more failing government service and it will continuously cost us more and more.

      The actual solution is a full government IT department charged with supplying all government departments with the software that they need as well as covering system security. This will bring about savings through economies of scale as well as having the professionalism and institutional knowledge base available to ensure that security systems are properly implemented.

      • Arfamo 4.3.1

        +1 @ DTB. The private recruitment agencies so many government departments use nowadays are another source of incompetent appointments to the public service. Management has no idea of what skills are really needed in their own departments. The chaotic state of public sector IT systems and security reflects this disconnect.

      • infused 4.3.2

        Time and time again it’s been proven it’s not the system at fault. It’s the user. This would lead to training/management issue.

        Not checking your To: field is fucking retarded.

        • One Anonymous Knucklehead 4.3.2.1

          Bullshit.: to err is human

        • Draco T Bastard 4.3.2.2

          PEBKAC applies, no doubt about it but that can usually be minimised by training but as budgets are being cut how is the department supposed to be able to afford the training?

          Then there’s the point that the people asking for the systems should have been adequately advised in both what the system could do, what training needed and what the system should not be able to do. What we’re seeing is, IMO, a haphazard approach as different government departments go to different suppliers to get their IT needs seen to (and they probably shift suppliers between upgrades as well) with the result that no-one truly knows WTF is happening. When it comes to the need to share the data across departments the systems don’t talk to each other and so emailing individual files becomes the norm and we end up with the security breaches that we’re seeing.

      • ropata 4.3.3

        DTB,
        Contractors are insulated from the (dysfunctional) culture and politics of a workplace, they will do whatever is their mandate, can’t be bullied so easily, and it’s in their interests to be honest in their final reports. Usually they are confident, capable people with a good track record.

        Nothing wrong with having a good internal IT capability of course. But some projects need extra skills and resources that aren’t so common in an IT shop, eg. performance or security architecture.

        • Draco T Bastard 4.3.3.1

          Contractors are insulated from the (dysfunctional) culture and politics of a workplace, they will do whatever is their mandate, can’t be bullied so easily, and it’s in their interests to be honest in their final reports. Usually they are confident, capable people with a good track record.

          Yeah, we keep hearing BS like that and then we get things like Novopay.

          Nothing wrong with having a good internal IT capability of course. But some projects need extra skills and resources that aren’t so common in an IT shop, eg. performance or security architecture.

          The government is big enough to employ such skills permanently.

    • Northshoreguynz 4.4

      When you cut the public service, the pressure comes on those doing more work, and finally the shit hits the IT fan.

  4. Coronial Typer 5

    So the Opposition should develop this as a theme, along the lines of:
    “You just can’t trust them”
    “This is my life and my information”

    It will never be enough to bring a government t down by itself, but its acidic.

    • McFlock 5.1

      Once or twice can happen to any government.

      Over a dozen serious leaks in 4 1/2 years? Yep, that’s systemic. And as a systemic issue, it goes straight to the top.

      • BM 5.1.1

        I’d blame Labour party fanatics purposely throwing spanners in the works.
        The public service is completely compromised, the only cure in my eyes is fire.

        • Arfamo 5.1.1.1

          You are saying that staff who blunder into emailing out private information they shouldn’t have to people who will then report them to the media and opposition parties for privacy breaches and place them at high risk of being immediately identified and possibly dismissed are doing it deliberately because they are Labour party fanatics? Seriously? Don’t be daft.

          • BM 5.1.1.1.1

            What around the recent incident with Claire Curren.
            Why did that employee pass information onto to labour instead of reporting it to someone in charge?
            Obviously scoring points against National is much more important than working for the good of the public service.
            How many more have the same fanatical mindset as that individual?, in all honesty I can’t see how National can have any faith in the public service.

            • Arfamo 5.1.1.1.1.1

              I think that was probably the fastest way to get the problem fixed. Collins tried to deny there was even a problem. In all honesty I don’t see how any public servant can have any faith in National doing anything except covering up the messes they’ve created. In any case, I don’t recall it being established that it was a public service employee who discovered the problem.

              • BM

                If a public servant doesn’t understand the concept of neutrality then the public service is the last place they should be working.
                Bloody Clark filling the government departments with all her lackeys, she’s completely fucked the public service.
                A scorched earth approach is the only way to fix it.

                • Colonial Viper

                  Bloody Clark filling the government departments with all her lackeys, she’s completely fucked the public service.

                  Hmmm funny thing is, its John Key doing the shoulder tapping of his mates.

                  A scorched earth approach is the only way to fix it.

                  Sure, Fletcher must be the first to go.

                • Arfamo

                  Where is your link to anything showing this problem in the DoJ website was whistleblown by a public servant? It’s news to me. Are you just off on another shit-slinging rant at perceived reds under the bed everywhere or have you got something more substantive to point to?

                  And forgive me, but four years of a scorched earth approach by the Natsys seems to have left the public service in the state you’re complaining about. Which was predictable. And possibly intentional.

                  • Colonial Viper

                    It is intentional. In the eventuality of a Labour win, it disables a first term Labour Govt for 18 months as they scramble to hire good people and rebuild morale in a shattered public sector. In other words, it helps run the clock down on Labours first term.

                    Mind you, shit loads of Wellington public servants voted National so, they get what they wanted.

                • Arfamo

                  If a public servant doesn’t understand the concept of neutrality then the public service is the last place they should be working.

                  The public service is not neutral. It is is required to be completely loyal to the Minister. It has been 2 or even 3 decades since the reverse applied, and this government has mounted the most sustained campaign of denigration of public servants (who cannot defend themselves) of any administration I’ve known.

                  • Coronial Typer

                    Well said. From all the current and past public servants reading this site.

                    It’s a mistake however for Grant Robertson to personalise it to the Prime Minister. A campaign about the government handling data should be about how citizens feel, how our rights are being taken away, how we personally are hurt, and from that how we feel about the current government generally. It’s too big to be about the PM, and it should corrode the whole of government not just thenofficeholders if it is to work.

                • Draco T Bastard

                  If a public servant doesn’t understand the concept of neutrality then the public service is the last place they should be working.

                  There’s a difference between being neutral and doing your job. In the public service if things are going from bad to worse then their job is to actually inform people who will do something about it. The opposition being someone who will do something.

        • Colonial Viper 5.1.1.2

          The public service is completely compromised, the only cure in my eyes is fire.

          I really hope that National tries your suggestion.

  5. ghostrider888 6

    felix was prophetic; it was the MOJ next. (avoid traveling incognito to that tropical paradise, cos ya won’t be).

  6. Poission 7

    One of the causative mechanisms of the privacy breaches is that it is the result of sharing data.

    The minister for money laundering,tax avoidance and buffoonery wants to extend the risk to the IRD.

    http://www.beehive.govt.nz/release/tax-info-sharing-may-help-fight-crime

    Dunne Collins and Tolley should be arrested for crimes of stupidity.

    • Draco T Bastard 7.1

      One of the causative mechanisms of the privacy breaches is that it is the result of sharing data.

      No, it’s the result of using individual files and email to do the sharing rather than a secure database.

      • Colonial Weka 7.1.1

        Govt depts have been data sharing for a long time, so why the problems now?

        • Arfamo 7.1.1.1

          Downsizing & top management thinking that someone competent somewhere in the organisation must surely be looking after their information systems. But sometimes, they aren’t. Information management and retrieval has not truly been seen as a priority in many depts it seems.

        • Draco T Bastard 7.1.1.2

          Well, partly from cutting staff, partly from the new staff that have come in not being properly trained and budget cuts.

          But there’s still the fact that no one within such an organisation should be able to attach a spreadsheet containing thousands of peoples names and data to an email. It’s not that it shouldn’t happen it should be bloody impossible in the first place.

          • Arfamo 7.1.1.2.1

            True. But in some cases I suspect we are simply seeing the final collapse of information management systems & operating procedures that have been getting progressively pummelled and muddied after multiple restructures for well over two decades. New managers produce new systems and procedural guidelines for “renewed” organisations, but these sometimes conflict with the previous organisation’s guidelines whose status is now assumed by new staff to be “obsolete”. High staff turnover, high workloads, and cuts only exacerbate these problems. Often the “backroom” and admin support staff they got rid of were the only ones who understood & sometimes held the various fractionated systems together. DH’s post of 3.24 pm below is very apposite.

    • Rogue Trooper 7.2

      crimes of fashion, unlike Rachel who was Hot in orange, Paula, not so much, Patrick, well, tepid springs to find.

  7. DH 8

    This has all been pretty predictable and it’s more than a ‘government’ problem, would be happening just as much under Labour too since they’re all a bunch of luddites as well. There’s insufficiently defined processes for email security in Govt departments, likely because there appears to be no-one in overall charge with adequate knowledge & experience in network security.

    The experienced network administrator knows that all users are put on this world to make the admin’s life a misery. Users have no other purpose in life except to drive systems & networks people to the room with rubber walls and the admins job is to keep them on their leashes.

    When designing the network security policies you work with the certain knowledge that users will fail to follow the procedures you establish to ensure no security breaches occur. They can’t help themselves. Giving users a PC is like wiring up a metal button to an electric fence generator and placing it on their desk with a big “Don’t Touch” sign on it. You know they’ll push the button.

    So you design security in depth. You do it in layers. You figure out every devious trick the users will play on you and you set up traps to catch them. Experienced network admins are worth their weight in gold because they learnt all the machiavellan tricks that users get up to and still somehow retained their sanity.

    The problem looks to be that either they don’t have good enough network admins or the admins are not being allowed complete control of their network. I’d bet heavily on the latter, bad admins usually end up gibbering idiots (or consultants) before they get that far up the ladder. I’d say they’ve got users in charge of the asylum, you can smell it.

    FWIW one method of preventing most of these types of leaks is to install an app like Mail Marshall as the email gateway and set up policies on attachments, file formats & naming conventions, CCs, user rights etc etc. It’s not as if email was only invented yesterday.

    • Rogue Trooper 8.1

      more informative and constructive than the Daily Herald.

    • infused 8.2

      Not network admins, Windows admins and Exchange admins. They already have Symantec Brightmail in place doing the SSL encryption. It has all this functionality in it – yet I bet they are not using it.

      • NickS 8.2.1

        This.

        The tools and methods are already there but no-ones bothering to fucking use them it seems and the justice department website issue are absolute amateur hour stuff.

      • DH 8.2.2

        Aye, there’s plenty of options for securing email. But the planning & decision to deploy them has to come from the top, can’t have ad-hoc implementations halfway down the WAN. These are large & important networks that need to be fully documented and tightly controlled with a clear chain of command right to the top..

        There’s gotta be someone in overall charge of the network, with the right background, who knows exactly what’s going on with the network. I get the impression there isn’t anyone… if there was they would have known they needed better security.

    • NickS 8.3

      Lawl, and heavens forbid you give them unlocked down windows PCs

      The experienced network administrator knows that all users are put on this world to make the admin’s life a misery. Users have no other purpose in life except to drive systems & networks people to the room with rubber walls and the admins job is to keep them on their leashes.

      Frankly I’m all for ICT being armed with modified nerf guns with which to mass shoot offenders, no matter how high they are up the management ladder.

      Along with cementing shut all USB, firewire, and esata ports + locking the ethernet cable in and disabling wireless connections (they be weaksauce encryption wise at present) just to be sure.

  8. Huginn 9

    Keeping the government’s data and information processes secure is core GCSB work.

    http://www.gcsb.govt.nz/our-work/ia.html

    This is a systemic failure.

  9. vto 10

    Systemic failure coming to a hospital near you.

    Is the weird government actually going to have food for people in hospitals trucked in from giant sandwich making machines hundreds of kilometres away?

    I mean, when the next earthquake strikes and the roads are taken out, or there is some other failure, how will the people be fed? Is this not why hospitals have generators in case electricity is lost? Is food not in the same category when it comes to self-sufficiency and life saving?

    This is the most strange decision I have ever seen and Ryall now reveals himself as a fully blown q c.

    • Colonial Viper 10.1

      wait until one of those meal production centres is taken out and half the hospitals on an Island starve.

      Massive centralisation and scale like this increases fragiity and decreases robustness. It’s short term financial smarts for long term operational stupid.

      • vto 10.1.1

        They put lives at risk for it?

        Tony Ryall puts peoples lives at risk so there is money for others? At the same time his government gives millions to rich business interests such as farming?

        • Walter 10.1.1.1

          Farming is not a rich business, its alot of hard work for low returns

          • felix 10.1.1.1.1

            Yeah that’s why hardly anyone does it.

            Walter, you’re a fucking child.

          • Draco T Bastard 10.1.1.1.2

            And yet this government wants us to do more of it despite it having fuck all returns and is destroying our environment.

            Besides, I think you’ll find that a lot of farmers are very well off.

          • Akldnut 10.1.1.1.3

            So get out and find another job if you aren’t happy with the return from the one you have – opps that’s right there ain’t any falling out of the woodwork for bludgers living off govt handouts.
            And because they’re farmers they’re in a different category, they’re hardworking bludgers living off Govt handouts.

            Are they going to be drug tested to receive their handouts?
            Will the amount they receive drop per extra child they have?
            Will they have to attend job scheme or business Management courses to receive that money?
            How many farmers will get handouts that will help pay off their mortgages and employees wages?
            Will the amount they receive depend on the amount of shares they may have?

            If the builder, tow truck driver, mechanic or other such small business down the road is going belly-up – they don’t get a handout.

            Let them stand alone and struggle like the rest of us, give them a hand up (To use Nationals words) when they are like the rest of us – almost destitute.
            Different rules for them.

          • Colonial Viper 10.1.1.1.4

            Farming is not a rich business, its alot of hard work for low returns

            For the farm workers and shed hands paid a pittance, you are right.

        • Draco T Bastard 10.1.1.2

          It’s National – putting lives at risk so that their rich mates can make a profit on the taxpayers dime is perfectly normal for them.

  10. BLiP 11

    Nice work, Mr R0bins.

    As far as I’m concerned all leaks are good leaks so, I guess, one has to praise National Ltd™ for its openess, however accidental. The privacy issues are of concern, though, especially Basher Bennett’s malicious use of details to quash dissent. I tend to go along with the suggestion above – that this increase in clumsy administration is due to the gutting of the public service and appointment of under-paid, under-trained, under-resourced, over-worked and, these days thanks to National Ltd™, maligned civil servants. Deliberate? Yeah, probably.

  11. Akldnut 12

    Good point blip, they promised transparency, so now we have it to an extent through these leaks.
    This was part of their election pledge and to get it thru all they had to do was under-train, underpay, overwork, and attack the employment and conditions of public servants.
    What are we all complaining about!

Links to post