One of the men arrested in the Urewera terror raids asked the Ministry of Social Development to pay him for information about problems with its privacy systems, it has been alleged.
A ministry investigation has been launched after blogger Keith Ng reported that he was able to access thousands of files on the agency's servers from the computers in a Wellington WINZ office.
He said he walked into a WINZ kiosk and was able to open files including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed MSD money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.
Ng last night named Ira Bailey as the person who tipped him off about a "giant vulnerability" in the Work and Income system.
Bailey was initially arrested in October 2007 as part of the police raid against a suspected terror plot. Charges were later dropped against him.
Ng said Bailey now worked as a system administrator and had asked for anonymity after telling him about the problems at Work and Income.
Ng wrote on his blog that Bailey had told him he had "half an hour to kill" at a Work and Income office. He had plugged in a USB drive when it did not appear, "he had a poke around the system to find it and found the giant vulnerability instead".
Bailey had called MSD to ask if they had a reward system for reporting security vulnerabilities.
"This is not unusual practice, and it's certain not blackmail," Ng said.
When Bailey had not heard back from MSD he had decided to contact Ng.
"I put him in touch with an experienced hacker. This hacker told us that government organisations in New Zealand don't really pay for vulnerability reports, and that they were likely to either respond poorly or not at all," Ng said.
MSD later contacted Bailey and told him they would not pay for vulnerability reports.
"Ira told them he'd been talking to a journalist and the conversation didn't go anywhere after that," Ng said.
This revelation has certainly added an element of intrigue to Ng's story from yesterday, but it also raises a number of questions. Is it credible that an employed "system administrator" had "half an hour to kill" so he went to a WINZ office to access a kiosk? Why would an employed system administrator be inserting a USB stick into a WINZ computer? What was already on the USB stick that Bailey admits to inserting into the computer? And why did Keith Ng put Bailey in touch with an experienced hacker?
Ira Bailey has a history of activism. When he was arrested as part of the Urewera raids, Scoop published a profile on him which ended thus:
Although clearly a committed political, environmental and rights activist of long standing, friends say Ira had not been heavily involved in recent months, concentrating instead on his wind-generating project.
And interestingly, the Scoop profile noted that Ira Bailey is a good friend of Nicky Hager, of the Don Brash e-mails infamy. The Wellington activist community is indeed a small world!
It would seem that the MSD computer security story has just grown an extra and most intriguing set of legs. Granted; there is no excuse whatsoever for lax computer security, and those who designed and maintained the WINZ kiosks must face scrutiny via the independant inquiry announced yesterday.
There are so many questions surrounding this privacu breach. But we reckon that the most important question is this one; is there more to this whole story than Keith Ng has revealed so far, such as an underlying political agenda, and a concerted attack on the credibility of the Ministry of Social Development, its Minister and the Government?
Watch this space...