Feeds

NZ blogger names source for data leak tipoff

Kiwi self-serve privacy outrage continues

Top three mobile application threats

Blogger Keith Ng, who went public over the deeply-careless kiosk implementation in New Zealand’s Ministry of Social Development job-seeker kiosks, has named the man that gave him the tip-off as Ira Bailey.

The revelation, which Ng writes was made with Bailey’s permission, adds a certain spice to the story, since Bailey is an activist who was arrested in 2007 as part a series of raids over “terrorist” camps in New Zealand’s Urewera Ranges. Charges were not pursued.

Ng states that Bailey had asked the MSD whether it offered any kind of “bug-bounty”, and denies that this inquiry amounted to a “demand” for money.

While not describing the request as a demand, ministry CEO Brendan Boyle said yesterday that “He indicated he would be prepared to co-operate with us if there was a reward for providing information. We made it very clear we didn’t provide money in situations like that.”

According to Ng, Bailey discovered the security vulnerability while trying to work out why a kiosk didn’t load his USB key: “he had a poke around the file system to find it – and found the giant vulnerability instead”.

The kiosks were installed by Dimension Data, which earlier this year reportedly conducted an audit of the system.

While calling the privacy breach “totally unacceptable”, NZ prime minister John Key has lashed out at Bailey, saying in a television interview that Bailey should have identified the kiosks as vulnerable when he first contacted the ministry.

The political row over the privacy breach seems certain to widen, since the security of government information has been a sore point for some time. In 2009, that country's Privacy Commissioner criticized the security of citizens' information across a range of departments.

New Zealand's Accident Compensation Corporation is under siege after last year releasing thousands of customer records by accident. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.