Ministry of Justice database access hole reported to Opposition MP

Ministry of Justice says reports of a potentially serious security breach of its database systems are wrong

Reports of a potentially serious security breach in Ministry of Justice database systems are wrong, the ministry's deputy secretary organisational development and support, Rose Percival says.

"There has been no privacy breach and no release of private information," she says.

However, Opposition ICT spokesperson Clare Curran insists, after a second informant contacted her, that confidential files are open to intrusion.

"What has occurred," Percival says of the first alleged breach, "is that someone has accessed an administrative file in a ministry website.

"This isn't a member of the public inadvertently finding information. It appears to be about someone with IT skills deliberately trying to get into a ministry IT system -- the site where people apply to become licensed security guards."

A report alleging a hole which allowed a user to get across from a public sector of the Ministry's website to access a password list was conveyed by the discoverer of the flaw to Curran, who is not disclosing the informant's identity.

An initial impression that the databases covered licences and fines led Curran to suggest "those databases would likely include the personal details of many victims of crimes." But this is not correct, Percival says.

The initial vulnerability brought into view a file of passwords in plain text, which it was believed could in turn be used to access the database. The whistleblower who informed Curran did not themselves try to access the database, but only viewed the password list.

Justice Minister Judith Collins says the passwords in the breached file could only have been used to access databases from within the ministry

"The ministry does not want anyone to be alarmed and is concerned that these claims are being made," Percival says. "The ministry takes information security seriously and has extensive systems and multiple layers of security in place to ensure this.

"The system in question is isolated and protected by firewalls that control access to other ministry systems," Percival says. "The ministry does not believe the person could have used the information in the administrative file to access other ministry systems or information.

"The ministry has identified how the person accessed the administrative file and has closed the affected website while it addresses this issue. It will be running again as soon as testing of the changes is complete.

"Unfortunately, no website, just like no building, is completely secure if people are determined to get into it," Percival says.

However, Curran still insists there are serious holes in the ministry's security. "A second person has this afternoon come forward and said that significant flaws in the ministry website allowed easy access to more than 63,000 documents via the Tenancy Tribunal section of the website," she says.

"I have been told that these are basic security flaws not requiring a lot of computer programming knowledge.

"I note that parts of the website were shut down today after I notified the ministry of the security hole. That confirms that this is a serious security issue."

Curran yesterday morning informed the ministry, Minister Collins and the Privacy Commissioner.

However, Ministry spokesman Nathan Green says Curran's second breach allegation doesn't stand up either. "The 63,000 documents Clare Curran is referring to in her second release are all publicly available Tenancy Tribunal decisions - the public is supposed to have access," he says.

Following an access to confidential Ministry of Social Development information last year a review of the security of publicly accessible computer systems in government agencies was begun under the auspices of Government CIO Colin MacDonald.

"The GCIO's report has been completed and the response to the report's findings and recommendations are currently being finalised," State Services Commission spokesman Tim Ingleton told Computerworld late last week. "The GCIO's report and the response to it will be publicly released. The aim is for this to take place in May."

Contacted again yesterday, Ingleton says he is not aware of any change to these plans since, in the light of the recent breaches.

Both the Ministry of Justice and the Earthquake Commission -- from which sensitive information was erroneously sent attached to emails at least twice -- will have been covered in the review.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernment

More about RoseState Services Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Bell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts