'Significant holes' in Justice Ministry website

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.radionz.co.nz/news/political/132378/'significant-holes'-in-justice-ministry-website

The Labour Party says a second person has come forward alerting it to
what it calls significant holes in the Ministry of Justice's website.

The ministry shut down parts of the website on Tuesday after Labour MP
Clare Curran said she was approached by a whistleblower who had
accessed ministry passwords and databases through a search engine on
the site.

Ms Curran, the party's information technology spokesperson, said the
information provided included a password to an online payment system
and she informed the Justice Ministry and its minister, Judith
Collins.

Ms Curran said a second person has been allowed easy access to more
than 60,000 documents in the Tenancy Tribunal section of the website.

She says Ms Collins is attempting to downplay the matter - but it is a
serious security issue.

"This information is explosive in the sense that it clearly
demonstrates the systemic issues that are occurring across government
agencies all showing serious breaches of people's information."

However, Judith Collins says no personal information was accessed.

"This is essentially like a burglar getting past the front gate of
your house of your property, but actually not getting past the front
door. No personal information has been accessed.

"The passwords that they refer to are passwords that can only be used
from within the Ministry of Justice's system."

However, Clare Curran says both breaches are basic security flaws that
do not require a lot of computer programming knowledge.

A Justice Ministry spokesperson says documents referred to by Ms
Curran are all publicly available. All relate to tenancy tribunal
decisions and are available on the Tenancy Tribunal website, he says.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.