OnPoint by Keith Ng


MSD's Leaky Servers

My jeans were torn, my hoodie was pretty ragged, and I hadn't shaved for a week. It turned out that bloggers are remarkably good at disguising themselves as unemployed, without even trying.

Last week, I got tipped-off that the parts of the MSD network were completely exposed to the public. You could go into any WINZ office and use their self-service kiosks to access their corporate network.

These locked-down kiosks are provided so you could look for jobs online, send off CVs etc. They've had some basic features disabled, which supposedly meant that you couldn't just open up File Manager and poke around the machine. However, by just using the Open File dialogue in Microsoft Office, you could map any unsecured computer on the network, and then open up any accessible file.

This basically means you can grab any file that wasn't bolted down on the network, while standing in the middle of a WINZ office. And that's what I did.

So what wasn't bolted down? Let's start with the boring stuff. There were servers connected to their call centre systems, logging calls going in and out. They contained sound recordings which I couldn't open, but which I suspect (for various reasons) are NOT complete recording of calls. I guess I'll leave that for the Privacy Commissioner.

And then there were file server logs. Normally, they aren't that exciting. Except that WINZ name their files quite well. For example:

s:\SharedData\wi_wites\Waikato\HAM\Fraud Investigations\[Name of investigator]\[Name of WINZ client] 23 Jun 2011 Case 640026-10.WMA

And so on. There were similar files for other "special" clients as well. There are probably a lot of personally identifying details in there, but I didn't spend much time going through them, because then I got tipped-off about the invoice server. It contains what appears to be all of MSD invoices for this year. Among all the invoices for milk and sausage rolls were invoices for:

With full names, hours worked, pay rates and pay details for all of MSD's contract workers (Studylink/Call Centre staff, consultants, *coughmediatrainerscough*, temporary staff, etc).

With full names of candidates for adoptions, foster parents and Limited Services Volunteers (they have to get medical reports first). Others were for children in CYFS care, with their full names and their chief complaint; some of these were for x-rays after injuries.

Debt Collection
MSD's Collection Units uses Veda to keep track of people who owe them money. And Veda's invoices to MSD shows the full name of every person they helped MSD to locate. i.e. The invoice is a list of people who owe MSD money. MSD outsources debt collection to another vendor, whose invoices detail the full name of each person owing money, how much they've paid and how much they still owe to MSD.

Fraud Investigation
The Benefit Control Unit and Intelligence Unit (basically the fraud investigators) also used Veda to locate and get credit records for people they're investigating (with full names, of course). Conveniently, these are billed separately, under "Benefit Control Unit" and "Intelligence Unit", so it doesn't get mixed up with the Collection Units' invoices. Another set of invoices are for the servicing of court documents on behalf of MSD, some done by private investigators.


That's the light stuff. Now it start getting messy:

HCN stands for "High and Complex Needs". These are:

..short-term, intensive interventions aimed at addressing the severe and current needs of the most challenging children or young people

Note "the most". Because of it's interagency nature, invoices come from other agencies to CYFS. These invoices contain the full names of kids in the HCN programme and the cities they live in. In a few cases, they also contain the date of birth and the name of the school which they attend.

Care & Protection
Care & Protection homes are:

This is a safe and secure place where children and young people will go if they are in our care and can’t live in the community for a while. They might stay at a residence if:

  • there are worries about the child or young person’s safety
  • their actions are putting themselves at risk
  • or they are putting others around them at risk.

These invoices contain the first names, dates and costs of children living in CYFS Care & Protection homes. Other CYFS residential arrangements are also listed, containing the full name of children.

Phone bills
Bills from Telecom for CYFS Family Homes and Care & Protection facilities. Since the billing address is just MSD, it's often hard to tell which facility the phone bill is for. So Accounts has handwritten the full address of each of these facilities on each bill.

Along with the name of the facility and its address are the normal stuff contained in a phone bill: The phone number of each of these facilities, along with a complete log of all the toll calls made from that location.

Bills from pharmacies to CYFS facilities, listing the children in that facility and the medication they are prescribed. These range from the antibiotics and scabies cream to cancer drugs, ADHD drugs, anti-depressants and anti-psychotics.

Legal bills
All of MSD's legal bills are in there, along with other legal bills paid for by MSD (e.g. Representation for foster parents). Most of these are invoices from Crown Law. They often mention the full names of parties and lawyers in the case, as well as the nature of the case. This can be very revealing information, for example, if the nature of the case is "Historical Claims", and the lawyers representing one side specialises in historical abuse and the other side is CYFS.

Some of these claims were settled out of court. The details of the settlements are not there, just the fact that a complaint was made and that it was settled.

In any event, all of these invoices are legally privileged.

Last one
One community group invoiced for providing support to a whanu after a suicide attempt (full name of that person included).


I sorted through 3500 invoices. This was about half of what I obtained, and what I obtained was about a quarter of what was accessible. There are probably more outrageous things still on that server, and there probably other servers that I've completely missed. But I'm done for now.

This stuff was all a few clicks away at any WINZ kiosk, anywhere in the country. The privacy breach is massive, and the safety of vulnerable children was put at risk.

This should never have happened:

  • Public kiosks should not have been connected to the corporate network.
  • Servers that didn't need to be globally accessible should not have been globally accessible, even if they only contained innocuous data.
  • Invoices, file logs and call logs, at a place like MSD, should not have been treated as innocuous data. 

Aside from the files I got my hands on, I was also told that the configuration files for virtual machines were readily accessible in the same way. I've had no experience with setting up virtual machines, but here you go:

If someone knows how bad/not-bad this stuff is, please explain it to me in the comments section! And yes, the bit I blanked out were passwords in plaintext.

The Acting Privacy Commissioner were briefed on this day, and I'll be handing the files over to them tomorrow. This story took most of the week to do, so if you like it, some money would be greatly appreciated.

UPDATE: MSD has told me that they will be taking the kiosks offline until the problem is resolved.

629 responses to this post

First ←Older Page 1 2 3 4 5 26 Newer→ Last