No Minister

Breaching data privacy for fun and profit

A lot of organisations hold confidential data and have obligations to keep that data secure.  I work for one, and IT security is something I have to take seriously because we provide publicly accessible services on a network that also stores personal information about our staff and customers, confidential administration documents, financial data etc that all must be kept secure from public access.  It’s the stuff of nightmares, because the people tasked with maintaining that confidentiality when working with the data are ordinary, fallible humans who make mistakes, while the people who’d like unauthorised access to that data for their own purposes are clever, ingenious, ruthless types who’ll find and exploit any mistake they encounter.

It feels like a lot of responsibility to carry (and my share of that responsibility is trivial compared to that of my organisation’s IT Security Manager, he must have a whisky habit that would kill a lesser man).

One thing I had, apparently incorrectly, assumed up until now was that at least the nation’s politicians are on our side and will take data theft seriously as a matter of the public good. If one of our staff makes a mistake and leaves a security loophole that opens access to confidential data for people who can find the loophole and exploit it, it seemed reasonable to assume that the government would treat as criminals the people who’d exploit that security hole to gain unauthorised access to our data.

It turns out I was wrong. No less a figure than the Leader of Her Majesty’s Loyal Opposition and leader of the National Party, Simon Bridges, says that if someone finds such a security loophole in our system and exploits it for unauthorised access to our confidential data, it’s “entirely appropriate” for them to do so.  The NZ Police, for their part, don’t see anything worth prosecuting in it. This is mind-boggling stuff.

National’s supporters, and a range of people who ought to know better, have said that exploiting such security holes for unauthorised access is fine because it’s not “hacking.” Easy for them to say.  Those of us with responsibility for confidential data have no fucks to give about what’s defined as “hacking” and what isn’t, there’s only authorised access to your data vs unauthorised access to your data, and the people looking for a way to gain unauthorised access to your data are data-thieving scum, whether they meet some arbitrary definition of “hacker” or not.

The activity that Simon Bridges is so proud of falls cleanly into that category of “data-thieving scum.”  He’s been careful to present it as just having used a publicly-available search engine. As a data custodian of my organisation, I consider that to be a disingenuous excuse from a data thief.

Here’s what happened:

  1. The documents were secured on Treasury’s web site to prevent public access.
  2. A staff member made a mistake and didn’t block the site’s search engine from indexing the documents.
  3. Anyone finding those documents via the search engine would find access to the documents blocked, and would know why they were blocked.
  4. However, the security hole caused by the staff member’s mistake could be exploited. The search engine displays a brief amount of text either side of the search term it found, so if you bombard the search engine with enough search terms, those brief snippets of text can be collated and a partial view of the secured documents constructed. 
  5. People working for the National Party used the exploit, obtained some of the secure documents’ contents, and used them for the party’s advantage. 

In other words, National found a security failure, figured out how to exploit it and then exploited it for unauthorised access to confidential data for its own advantage.  That, National, is called data theft and is one of the biggest fears of people with responsibility for the security of their organisation’s data. Your claim that it’s the victim’s fault for not securing their property properly is exactly the kind of claim a thief makes, and the fact that the Police believe our legislation doesn’t make such activity illegal is an indictment of our data privacy legislation, not an endorsement of your actions.  You’re supposed to be a government in waiting, for fuck’s sake.

My message to the current government is: please take data privacy seriously.  Finding and exploiting a staff member’s security mistakes to gain unauthorised access to confidential data should be a crime – please make it so.

Written by Psycho Milt

May 30, 2019 at 6:30 pm

Posted in New Zealand

Tagged with

%d bloggers like this: