Update: A journalist called up earlier knowing Ira's name, and asked me to confirm him as my source. It was clear that somebody had given her the name, and the story was due to be published tomorrow. Sorry I wasn't clear about this in the orignal.
Update 2: *Obviously* I've been in touch with Ira this whole time. He was also contacted by the journalist yesterday, we discussed how to proceed and then I wrote this. I got his permission to write this and cleared the draft of this with him before I published this. Like, seriously - what kind of dick did you think I was?
So. The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That's why he asked for anonymity.
He did not have any special access to the system - he just had half an hour to kill at a WINZ office. He plugged in his USB drive and it didn't appear, so he had a poke around the system to find it - and found the giant vulnerability instead.
He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it's certainly not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.
MSD didn't know what to do with his request, and it got slowly bumped up the food-chain.
Ira didn't hear back from them, so he talked to me instead. I put him in touch with an experienced hacker. This hacker told us that government organisations in NZ don't really pay for vulnerability reports, and that they were likely to either respond poorly or not at all.
MSD called Ira back two days later. They told Ira that they don't pay for vulnerability reports. Ira told them he'd been talking to a journalist and the conversation didn't go anywhere after that.
At this point, it was clear that Ira was not going to get paid for it, but that it could still be an important story. He showed me the vulnerability - the only condition was that his name be kept out of it. He wasn't interested in being in the limelight.
The rest, I've already blogged. We have since both deleted all the material from our computers, and Ira assured me it's all gone, and I've assured the Privacy Commissioner of this.
Since he called MSD and left his name and number, it was always likely that they'd out him as a diversion. We had hoped that it wouldn't get to that, but it has, which is why I'm writing this now.
Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it's not as if the people MSD ended up relying on - KPMG - did it for free.