Public Kiosks That Dispense Private Data (and basic security)

New Zealand’s Ministry of Social Development (read: social services) put in some neat kiosks. Connected to their network. Which had no internal firewalling to speak of. And lots of wide-open Windows file-shares. The kiosks also ran Windows, with Microsoft Office, and its magic ‘file open’ dialog box that lets you browse the local network and open any file you like from an accessible file-share. Files like active fraud investigation reports, and invoices for suicide counselling — with the patient’s name.

A techie discovered this by accident, trying to open a file on his USB drive. He tried to report it, but got no response, so tipped off a well-known blogger. The kiosks have been taken offline.

(he did ask if they had a reward for reporting, more on that kind-of-iffy move here: )

Note that the ultimate response of the New Zealand agency involved their Privacy Commissioner and taking the kiosks offline — not jail time for the techie or the blogger.

Are public institutions any more trustworthy than companies when it comes to handling your data? Consider that, while the kiosks have been shut down, their internal network is probably still extraordinarily vulnerable. As soon as someone brings in an unauthorized wireless access point, guess what anyone in the parking lot can do?

Basic security: Trust no one! is too paranoid for most of you. But you can start with the basics: take charge of the really fundamental things in your life. Make a point of buying your own food from the grocery store, preparing it yourself, and storing it so you know immediately if it goes bad or if bugs get in it. Same goes for your laundry.

Where’s the security angle in all this? It should be obvious.

Once you’re solidly providing for yourself, copy that mentality in anything you care about. All of a sudden you become a very hard target — and one free of the paranoiac’s fear.

(this idea is inspired in part by JMA’s ‘Pearls’ series of posts — — I disagree with certain of his points* and don’t like the somewhat kookily self-important quality of the writing, but don’t dismiss what he says out of hand on those grounds. And he did recently announce he’s “coming out of the cold” and going to exclusively private-sector work, which is great to hear.)

* for example, in my experiments on a subject pool of one, hard surfaces proved infinitely superior to soft beds.
[apologies for the wierd character replacement]

“Last week, I got tipped-off that the parts of the MSD network were completely exposed to the public. You could go into any WINZ office and use their self-service kiosks to access their corporate network.[…]

by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file.

This basically means you can grab any file that wasn\u2019t bolted down on the network, while standing in the middle of a WINZ office. And that\u2019s what I did.

So what wasn\u2019t bolted down? Let\u2019s start with the boring stuff. There were servers connected to their call centre systems, logging calls going in and out. They contained sound recordings which I couldn\u2019t open, but which I suspect (for various reasons) are NOT complete recording of calls. I guess I\u2019ll leave that for the Privacy Commissioner.

And then there were file server logs. Normally, they aren\u2019t that exciting. Except that WINZ name their files quite well. For example:

s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA

And so on. There were similar files for other \u201cspecial\u201d clients as well. There are probably a lot of personally identifying details in there, but I didn\u2019t spend much time going through them, because then I got tipped-off about the invoice server. It contains what appears to be all of MSD invoices for this year. Among all the invoices for milk and sausage rolls were invoices for:

With full names, hours worked, pay rates and pay details for all of MSD\u2019s contract workers (Studylink/Call Centre staff, consultants, *coughmediatrainerscough*, temporary staff, etc).

With full names of candidates for adoptions, foster parents and Limited Services Volunteers (they have to get medical reports first). Others were for children in CYFS care, with their full names and their chief complaint; some of these were for x-rays after injuries.

Debt Collection
MSD\u2019s Collection Units uses Veda to keep track of people who owe them money. And Veda\u2019s invoices to MSD shows the full name of every person they helped MSD to locate. i.e. The invoice is a list of people who owe MSD money. MSD outsources debt collection to another vendor, whose invoices detail the full name of each person owing money, how much they\u2019ve paid and how much they still owe to MSD.

Fraud Investigation
The Benefit Control Unit and Intelligence Unit (basically the fraud investigators) also used Veda to locate and get credit records for people they\u2019re investigating (with full names, of course). Conveniently, these are billed separately, under \u201cBenefit Control Unit\u201d and \u201cIntelligence Unit\u201d, so it doesn\u2019t get mixed up with the Collection Units\u2019 invoices. Another set of invoices are for the servicing of court documents on behalf of MSD, some done by private investigators.


That\u2019s the light stuff. Now it start getting messy:

HCN stands for \u201dHigh and Complex Needs\u201d. These are:

..short-term, intensive interventions aimed at addressing the severe and current needs of the most challenging children or young people

Note \u201cthe most\u201d. Because of it\u2019s interagency nature, invoices come from other agencies to CYFS. These invoices contain the full names of kids in the HCN programme and the cities they live in. In a few cases, they also contain the date of birth and the name of the school which they attend.

Care & Protection
Care & Protection homes are:

This is a safe and secure place where children and young people will go if they are in our care and can\u2019t live in the community for a while. They might stay at a residence if:

there are worries about the child or young person\u2019s safety their actions are putting themselves at risk
or they are putting others around them at risk.

These invoices contain the first names, dates and costs of children living in CYFS Care & Protection homes. Other CYFS residential arrangements are also listed, containing the full name of children.

Phone bills
Bills from Telecom for CYFS Family Homes and Care & Protection facilities. Since the billing address is just MSD, it\u2019s often hard to tell which facility the phone bill is for. So Accounts has handwritten the full address of each of these facilities on each bill.

Along with the name of the facility and its address are the normal stuff contained in a phone bill: The phone number of each of these facilities, along with a complete log of all the toll calls made from that location.

Bills from pharmacies to CYFS facilities, listing the children in that facility and the medication they are prescribed. These range from the antibiotics and scabies cream to cancer drugs, ADHD drugs, anti-depressants and anti-psychotics.

Legal bills
All of MSD\u2019s legal bills are in there, along with other legal bills paid for by MSD (e.g. Representation for foster parents). Most of these are invoices from Crown Law. They often mention the full names of parties and lawyers in the case, as well as the nature of the case. This can be very revealing information, for example, if the nature of the case is \u201cHistorical Claims\u201d, and the lawyers representing one side specialises in historical abuse and the other side is CYFS.

Some of these claims were settled out of court. The details of the settlements are not there, just the fact that a complaint was made and that it was settled.

In any event, all of these invoices are legally privileged.

Last one
One community group invoiced for providing support to a whanu after a suicide attempt (full name of that person included).


I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible. There are probably more outrageous things still on that server, and there probably other servers that I\u2019ve completely missed. But I\u2019m done for now.

This stuff was all a few clicks away at any WINZ kiosk, anywhere in the country. The privacy breach is massive, and the safety of vulnerable children was put at risk.

This should never have happened:

Public kiosks should not have been connected to the corporate network.

Servers that didn\u2019t need to be globally accessible should not have been globally accessible, even if they only contained innocuous data.
Invoices, file logs and call logs, at a place like MSD, should not have been treated as innocuous data.

Aside from the files I got my hands on, I was also told that the configuration files for virtual machines were readily accessible in the same way. I\u2019ve had no experience with setting up virtual machines, but here you go:

If someone knows how bad/not-bad this stuff is, please explain it to me in the comments section! And yes, the bit I blanked out were passwords in plaintext.

The Acting Privacy Commissioner were briefed on this day, and I\u2019ll be handing the files over to them tomorrow. This story took most of the week to do, so if you like it, some money would be greatly appreciated.

UPDATE: MSD has told me that they will be taking the kiosks offline until the problem is resolved.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: