Monday, 15 October 2012

Why the MSD privacy breach matters

It's pretty easy when you see politics as a game to forget that the scandal now known as #WTFMSD is not just about Paula Bennett's competence (or not) as a Minister,  continuing to tarnish a Government that has been just a wee bit beleaguered of late. 

What a massive privacy breach, of really quite gargantuan proportions, means in practical terms is actually fear.

Fear of people finding out your private stuff.  Fear of people who Don't Need to Know finding out your private stuff.  Fear of people who You Don't Want To Know finding out your private stuff.  Fear of people who are Dangerous to You and Your Loved Ones finding out your private stuff. 

Private stuff like your new name, your current address, your beneficiary or CYFS arrangements.  Private stuff which could make it easy to find you.

Emma explains it succintly, clearly, and powerfully, on PAS today:
[quote from someone else, upthread] Mind you, you know exactly who could (would) do what Keith did? Bored, inquisitive, mildly anti-social young men...
[Emma's comment].... who have children hidden from them in CYFS care, and have just been given enough information to find them.
I read this column last night, and had to go to bed and have a wee cry. And it wasn't just because my daughter's had dealings with Youth Specialty Service that involved funded counselling and drugs.
I was one of those kids. For two years in the 70s, my family was in hiding from my father. He had access rights: on one of those visits he managed to trick me into telling him where we were living (I was six, okay), and we had to move. I had to change schools. The very information Keith has detailed here, which would have been on Social Welfare's files about us, would have been sufficient for my dad to at least find my school and wait for me. He could have used me to find my home, and my mother. She could have died.
If we were in that situation now, all he'd need is some unsupervised time on a kiosk, and the technical knowledge to open a file in Word.
The political management of this issue has become the main topic of conversation now.  When did MSD know they had a problem?  A year ago; several months back; last week; on Sunday night; or, like the PM, today?  If they found out earlier than yesterday why didn't they act sooner? 

But please let us not forget just why this breach matters so much; because MSD were not reliable and secure stewards of the information they hold, and have thus made many of the most vulnerable in our society, those MSD is supposed to assist confidentially and with respect, even more at risk.  And even more afraid.


toad said...

And now it seems MSD or Bennett have outed the source who relayed the info to Keith Ng - another privacy breach, and clearly a deliberate one.

How bad can it get?

Anonymous said...

this likely happened as part of her plan to keep the public informed of what beneficiaries are doing with their money, as the media did not like her last attempt much.

Anonymous said...

Also what hasnt been pointed out is that not only was that info available but you could set up remote access, change passwords, reconfigure firewall etc

K said...

Actually it means the entire MSD system should be considered compromised. At present they have managed to keep that off the front page but it is sadly true and not helped that joe public has had access to the kiosks for two whole years. That's over 700 days for data to be breached with no way of tracking anyone inside the system - in short the gap in the system was wide enough to allow someone to go in and play God.

Even without that the invoices available were read/writable so they could be altered. I find it hard to believe that these guys were the first to discover such a gaping wide system vulnerability.


WINZ Network Fully Compromised,nz-government-needs-to-start-over-on-security.aspx

DimentionData told MSD last year