

Massive data leak in New Zealand government servers - oreilly
http://publicaddress.net/onpoint/msds-leaky-servers/

======
jl6
This is the main reason I'm skeptical of central government databases. Not
because of the miniscule chance of them enabling a police state, but because
of the very great chance that the data will not be properly safeguarded.

~~~
stfu
But but but, I thought building a central health-care database is such a
brilliant idea and saves so much money!11

~~~
lostlogin
The health data base is very well protected from what I know. And access is
strictly monitored. If patient notes are viewed by someone who does not need
to view them, they face harsh discipline. I recall a case from when I used
this database a long time ago. In terms of high profile issues with it, the
current eel-in-arse story is going to result in action and this is being done
via the systems user tracking.
[http://m.nzherald.co.nz/nz/news/article.cfm?c_id=1&objec...](http://m.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10838269)

Edited for spelling

~~~
yogar
If they are monitored and if unauthorized access is prevented by "harsh
discipline". then they are not protected. Protection is proactive not
reactive.

~~~
frio
There are always reasons why unauthorized access may be needed (or, to phrase
it better: where authorization should be dynamically extended), however. For
instance, if a patient arrives in the ED, then a doctor who has never treated
them before and normally should not have access to their records, may need to
view them. So long as access is audited correctly, then the issues involved
are mitigated.

FWIW, "eel case" aside, I know of clinicians being unceremoniously sacked for
breaching patient privacy; and I know of NZ hospitals hiring staff to monitor
the audit logs on a daily basis. It's a very big deal, and something that a
lot of work is put into getting right.

------
meric
I'm glad so far the government haven't mentioned bringing charges against the
author yet. That probably shows you how much I expect from government these
days...

~~~
Zenst
That was my first thought, sadly many other governments would never be as
close to open as this in all compass directions of the World. So kudos to the
NZ goverment upon that aspect.

------
piggity
Having physical access to the network shouldn't (in a better world) result in
such an utter compromise.

With the ability to plug in devices like the Pwn Plug; your network needs to
be moderately resilient to attacks from inside.

~~~
Lerc
Agreed. In fact I would go as far to say that All systems should be
deliberately connected to a network physically accessible from the outside
world. That way you cannot hide behind the assumption that you have not
inadvertently connected.

All security layers have to be based on what you are allowed to do. Cutting
abilities in a non-privilege-restriction manner is just asking for people to
figure out another way to get through.

------
ericcholis
Wow, Active Directory Much? There's so many ways to do this correctly using
simple groups in AD. Or hell, why do these public kiosks even need to be on
the same network?

~~~
ams6110
Why would a public kiosk even be running a consumer OS? They should be running
a bare-bones OS with EVERYTHING not necessary to perform their intended
functions removed. AND be on their own network.

Why are power plant (and other similar) control systems in any way accessible
by the internet?

Why are credit-card processor internal networks in any way accessible by the
internet?

Answer: because it's what happens by default, and people are too lazy or too
ignorant to configure appropriate safeguards.

~~~
Spooky23
Because using some bespoke OS costs a fortune and accomplishes nothing.

Windows is more than capable of providing a secure environment for this sort
of thing. Wat you're looking at is some shoddy work that was probably done by
some contractor years ago.

------
rurounijones
That is entering the realm of criminal negligence.

This is not a simple data breach, there is stuff in there covering fraud
investigations, suicide attempt documentation. This has got to be the most
wide-ranging privacy cock-up I have ever heard of

Plus if this was accessible from a kiosk I HIGHLY doubt they properly segment
this information internally either

A large number of heads (Including those going up the chain, supervisors,
auditors, privacy managers) should roll over this one.

------
justincormack
Typical use of a "firewall" to guard what people think of as the external
entry points and then leave nothing once you get in. Plus no auditing of
permissions. Alas all too common.

------
propercoil
I won't be surprised if they classify it as "terrorism" and require some
internet "protection" bill

~~~
Negitivefrags
That kind of thing only happens in New Zealand when the USA is threatening
trade sanctions. In this case, not so much.

~~~
oreilly
Current politics in New Zealand are unlikely to see this a terror or hacking
issue. This is the agency responsible for the jobless, and they are a very low
priority mainly used for political diversion.

------
jvdh
This is easily the biggest databreach that I have ever seen. I sincerely hope
no one noticed this before, this has the potential to have a severe impact on
so many lives in New Zealand.

~~~
Zenst
Sadly you can imagine less honest user would of found this and not alerted
anybody of athourity. The level of security being ustilised is at a level that
how many years was it like this as it has been that secure since then sadly.

Many people also may have less respectful governments with regards to being
alerted to this and could even end up charging you. Some even have laws
against even checking if its is secure as it would be deemed hacking a
govermental server. When you have that type of law then you can only imagine
at the security in some of the offices. You hope they have good security staff
and pentesters. This is clearly not the case with this oversight. It is beyond
schoolboy error level even of security.

Still least in other countries they just leave all that data on a USB stick,
so in that it is had to guage how much data leaked in comparision to others.
But the opertunity is large and covers areas that can and could of caused alot
of damage.

------
oreilly
Keeping in mind governments can screw up this badly.. the security errors some
startup's launch with don't seem so bad.

~~~
aristidb
There is no excuse for some of the security errors we have seen. Especially
not government incompetence being equal or greater.

It is true that startups should not concentrate on perfect security, as
supplying something the buyers want should be absolute priority number one,
but even then there's no reason to not at least get the basics right if there
is any kind of sensitive data involved.

------
boop
Once it was clear that there was was a leak of confidencial information, he
should have taken what was required as minimal evidence (a few screenshots?)
and then contacted the Acting Privacy Commissioner.

Did he really need to go through files related to Doctors/Radiology, Debt
Collectionn, Fraud Investigations, Care and Protection, HCN? Snooping through
the servers beyond what was necessary was wrong.

The bigger story is the lack of security on the New Zealand servers. However,
what he did was wrong and possible illegal IMHO.

~~~
ppog
Going that extra mile was necessary to make this a big story instead of having
it brushed under the carpet. It seems that the leak was known about as much as
a year ago
([http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&obj...](http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10840564)),
MSD were informed, but nothing was done because there was no media firestorm.
By showing what was exposed, Keith Ng made the horrific impact of the leak
understandable to the public and media and greatly increased the likelihood
that something will get done.

