Why the MSD security breach matters

ImagePolly Peek

Last month scandal erupted as news broke that confidential client information, and financial records were freely available to anyone using self-service kiosks in Work and Income offices around the country.

The complete lack of security in the system has been the subject of much criticism, with systems administrators revealing just how simple it would have been to create a secure network or fix the security issues when they first became apparent.

Another aspect of the privacy issues which has sparked public outrage has been the confidential nature of the information available, and the ability for those viewing the information to identify the clients concerned, and in some cases locate them, as names and addresses (as well as other identifying information) had all been easily accessible. 

On October 14th, independent journalist Keith Ng published an article detailing (without exposing the personal details of Ministry of Social Development clients) the information available at WINZ kiosks to anyone who had time and basic computer skills.

Amongst the information available were invoices for client medical appointments, staff pay, fraud investigations and debt collecting agency work, most of which contained the names of clients concerned.

Names of people involved in legal cases, including sensitive matters such as historic abuse cases against CYF were available, as were the name of a family supported by a community agency funded by MSD after a suicide attempt by their whanau member.

More concerning still were personal details for young people in Child Youth and Family care, including High and Complex Needs youth, contained the invoices.

Young people labelled as “High and Complex” needs are identified by social service agencies as the most at risk, or vulnerable.

They are children and teenagers in the care of Child Youth and Family, but who also very often have a numerous other difficulties related to mental illness, substance use issues, intellectual disability, behavioural issues, past trauma or abuse, physical health problems and educational needs.

Hypothetically, an HCN young person might be a 16 year old with the mental age of a 12 year old who has a history of physical and sexual abuse, ADHD, expulsion from mainstream schools and issues with absconding (running away) self-harm and drug use.

The attachment issues that can result from young people being moved from dysfunctional family situations to CYF residential and foster home placements mean that HCN young people can experience issues with family relationships, and can seek out inappropriate connections with other adults.

For young people with High and Complex needs, the availability of personal information to the general public places them in a more vulnerable situation than already exists.

Had the security flaw been found by someone other than IT workers and more recently Ng, CYF and community residential services for HCN youth, as well as the schools they attended, could have experienced a range of challenging situations, from the arrival of disgruntled family members at residential homes, to predatory men contacting young people in care.

People who work in HCN services know how these risks to young people’s safety occur already, without serious privacy breaches enabling them, and the extent to which the availability of this information puts young people at risk is very clear.

Since news broke of the security and privacy issues at the MSD, the political response has varied. Prime Minister John Key described the system flaw as a failure, however also publicly stated that the information accessed by Ng was not readily available to the public and could only be accessed with deliberate searching.

Labour and Green party spokespeople have argued against this, highlighting the ease with which the information could be found and drawing attention to the systemic privacy issues within government departments including recent issues with ACC and IRD client information.

It is this systemic nature of privacy and security issues which should be of concern. It is hard to believe that client confidentiality is a priority of the Government, when simple system flaws lead to the accessibility of highly confidential information.

The possibility of deliberate ignorance of the issue is also becoming apparent as advocacy groups and others reveal knowledge of the ssecurity issues, which MSD was made aware of soon after the development of the kiosk system.

In the context of the unintentional ACC information leaks, and purposeful breach of beneficiaries’ privacy by Social Development Minister Paula Bennett, the lack of consideration for people’s confidential information is clear.

We need a system that upholds people’s dignity, and the safety of those already vulnerable and ‘at risk’. A radical reflection on how state support should be organised must take into account, not only the structure of social welfare, but the culture of services providing support, in order to ensure personal information is handled respectfully.


%d bloggers like this: