BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

'Staggering' security breach at Winz

From: security curmudgeon <jericho () attrition org>
Date: Mon, 15 Oct 2012 11:34:42 -0500 (CDT)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.odt.co.nz/news/politics/230439/staggering-security-breach-winz

By Kate Shuttleworth
Otago Daily Times
15 Oct 2012

Thousands of files on the Ministry of Social Development's computer 
servers, including the personal details of at-risk children, have been 
accessed through a Wellington Work and Income jobseeker kiosk.

Journalist and blogger Keith Ng described how he went into a Work and 
Income (WINZ) office and used a self-service kiosk, normally used to look 
at job vacancies, to access up to 3500 files on the agency's server, "just 
using the Open File dialogue in Microsoft Office".

Mr Ng said the files were PDF copies of ministry files and he has posted 
screen shots of what he found online.

He said on Sunday night on Public Address he had managed to view an 
invoice to a community group who had supported a family after their family 
member attempted suicide,including the person's name, invoices relating to 
children in Child Youth and Family (CYF) care, including addresses, 
sensitive client case notes, the names of candidates for adoption and 
passwords in plain text.

Mr Ng said all information he had obtained would be handed to the Privacy 
Commissioner and he had sought advice from a media law expert prior to 
publication on the blog.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: