ACCforum: RealMe - Ministry investigates WINZ privacy breach - - ACCforum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

RealMe - Ministry investigates WINZ privacy breach -

#1 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 12 April 2016 - 03:38 PM


Ministry investigates WINZ privacy breach


10:53 am on 5 February 2016

Share on Twitter
Share on Facebook
Share on Google Plus
Share on Reddit
Share on Linked In
Share via email



http://www.radionz.c...-privacy-breach

The Department of Internal Affairs and the Ministry of Social Development are investigating a privacy breach after a Work and Income client accessed someone else's information.

Yesterday, the man told RNZ he was trying to access his WINZ account through government's RealMe identity verification system and got another client's details.

The man - who wished to be known only as Tom - said he had access to personal details such as the other user's phone number and email address, and had the ability to go in and change the details. He was unable to access his own account.

Listen to the interview on Morning Report 3 min 51 sec

The Ministry of Social Development said it had a team urgently working on how the mix-up happened.

The department's deputy chief executive Maria Robertson said there were more than a million successful log-ins every month to the WINZ service.

"There's no systemic issue here. What appears to be the problem - although the Ministry of Social Development is still looking into this - is somewhere down the track inside their systems, a person's information has been linked to the wrong person."

Listen to Maria Robertson on Morning Report 3 min 10 sec


The ministry said it was an isolated problem, but another listener said he had a similar problem.

Andy Linton filed a superannuation form with WINZ electronically after logging on the site using RealMe, but when he went to be interviewed it couldn't be located.

Eventually, he said, it was found attached to someone else's account.

"When you fill in the super form you have to give your date of birth, and you have to give other details like when I became a citizen and you've got to give a whole bunch of details of when you arrived in New Zealand - stuff that I don't really want other people to see if it's not necessary.

"And that was attached to someone else's identity."

The department said it took people's privacy extremely seriously and had robust systems in place to protect client information.
'Serious breach of privacy'

However, cyber security expert David Ayers said it was not the first time WINZ had had one of its systems breached and that was cause for concern.

The incident was a serious breach of privacy, he said.

Listen to David Ayers on Morning Report 2 min 51 sec

"We should be worried about the privacy breaches we're seeing in government and in particular, WINZ, as it was only a couple years ago that WINZ had another breach where [someone] walked into an office and used the kiosk to access private files...here we are with WINZ having further problems again."

The blame for the breach may not lie with its RealMe identity verification system, he said.

"It's less likely to be an issue with RealMe versus either a programming error in the WINZ website or some technological issues with what's known as internet caching, which is used to speed up the internet."

It was perfectly possible to design IT systems where such privacy breaches didn't happen, he said.
Related

Not the RealMe: 'Secure' id service in security breach claim
More IRD privacy complaints upheld
Guidelines to protect hackers proposed
Another privacy breach at Work and Income
0

#2 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 12 April 2016 - 04:21 PM


Not the RealMe: 'Secure' id service in security breach claim


9:19 am on 4 February 2016


http://www.radionz.c...ty-breach-claim

A user of the government's RealMe identity verification system got sent somebody else's personal details, despite assurances it was a secure way for Kiwis to access online services.

RealMe was set up in the wake of a string of privacy breaches, and allows New Zealanders to store and access personal information. It can be used on multiple government service websites.

The system, which now has 2.3 million accounts and more than 100,000 verified identities won the Security & Online Safety category at the 2014 Australia and New Zealand Internet Awards.

However, one user contacted Morning Report today after he ended up with someone else's information when he used the RealMe service to access his Work and Income account.
Listen to more on Morning Report 3 min 51 sec

The man - who wished to be known only as Tom - told RNZ he had used the service before with no problems.

When logging in, RealMe users are sent a six digit code in a text message, but when Tom entered the numbers, somebody else's details came up.

He said he had access to personal details such as the other user's phone number and email address, and had the ability to go in and change the details.

Tom said he had been unable to access his own account.

"So my concern is that somebody has access to my details.

"You can access a lot of different government websites and services using this detail and it was touted as the security barrier that we needed. If, for instance, this was the case with a bank, it would be a huge problem, but this is worse, because it's our personal details."

He said after years of dealing with government departments, he was not shocked that the system had failed

"I just thought, oh, here we go again."

RNZ is seeking a response from Internal Affairs, which runs the service.

Share on Twitter
Share on Facebook
Share on Google Plus
Share on Reddit
Share on Linked In
Share via email

Next story in National: Who's the boss? Staff deceived in interviews

Joining the discussion couldn’t be easier. Simply sign up using your existing Facebook or Twitter account or create a new login. And make sure to read the rules. Here is a list of other stories that have comments.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users