The Government cannot guarantee all information it holds about members of the public is safe, Finance Minister Bill English has admitted.
English revealed the worrying state of Government department databases in the wake of new security breach allegations.
The latest claim involves the Ministry of Justice website which Labour claims contains a security flaw which could put thousands of New Zealanders at risk.
The Labour Party says a member of the public brought the "gaping hole" to its attention. The anonymous whistleblower claims the public can gain access to Ministry passwords and databases, giving them the ability to obtain personal and financial details of thousands of New Zealanders.
It comes after a series of privacy breaches and security flaws in Government-linked organisations.
Labour's information technology spokesperson Clare Curran described it as a "very serious matter", and "yet another gaping hole in the security of a major Government site".
However, Justice Minister Judith Collins has denied the claims.
Collins said the website has been deliberately hacked but no personal details were accessed.
"This is like a burglar getting past the front gate of your house, your property, but not getting past the front door. No personal information has been accessed," she said.
Labour has admitted it has no evidence to prove the website was not hacked and has written to the Ministry and the Privacy Commissioner asking them to investigate.
No sensitive information accessed
Quizzed about the latest breach during Parliament's Question Time today, English said it was his understanding that no sensitive information had been accessed.
When questioned by Labour leader David Shearer, he said: "I'm not exactly sure what the member is referring to, but if he is referring to some publicity today around an attempt to hack the Ministry of Justice, that attempt failed."
English was taking questions on behalf of Prime Minister John Key, who is currently in China on a trade mission.
On being pressed further on the security breach, English said: "I can only take the advice of the relevant minister, who says that it (confidential MoJ information) is not (available to the public).
"But the issues the member is raising are issues which underline the importance of having our intelligence agencies in good shape and with good, updated law and technology, so they can combat that kind of behaviour along with Government departments."
He said that Key "has taken action" to ensure the public's information is secure, but "we cannot yet give the assurance that public servants and their organisations have the correct procedures in place to protect all individual information".
"There has been an extensive review of the procedures, of data security procedures, at all Government agencies," English said.
"I think what's become apparent is that these kind of events have almost certainly been going on for many years, but now they are drawing public attention and are unacceptable to the public.
"But I can tell the member that the audit of security processes followed by agencies showed that under his Government nothing was done, many of them had no procedures whatsoever, and that is why the Government has to move decisively to upgrade those procedures."
Security flaw exposes passwords
The MoJ security flaw revealed today allows access to a list of Ministry of Justice passwords and databases, via a publicly accessible search engine on its website, Labour claims, adding that it could "allow a malicious person to redirect payments to and from members of the public".
The databases exposed could include information about people the courts have imposed a fine on, and victims of crime receiving reparations. It would also contain the details of those with licences issued by the MoJ.
"The Ministry of Justice holds incredibly sensitive data - including information about the victims of crime. The Government has a fundamental duty to protect that information. This flaw, if exploited, could have a devastating effect on thousands of people," said Curran.
The flaw was highlighted to Labour through a member of the public who was able to access a text file containing Ministry passwords. This file has since been passed to the MoJ, and the whistleblower has offered to help the department fix the problem.
Curran has now written to Justice Minister Judith Collins and the Privacy Commissioner Marie Shroff to take action.
"This is the latest in a disturbingly long line of information
technology security flaws and privacy breaches. There is clearly a
major systemic problem with IT security," she said.
"In the past two years more than 100,000 Kiwis have had their privacy breached by government agencies, including the ACC, MSD, IRD and EQC. This is an issue of public trust and confidence in government systems.
"The National Government needs to treat this matter with the seriousness it deserves, and stop hiding behind human error as an excuse for not protecting people's private information."
There has been no immediate response from the Ministry.