The monumental District Health Board data hack

As many as 913,000 patients may have had their records accessed in a massive data breach of New Zealand District Health Boards. The hack, which is thought to have also affected Public Health Organizations, was concentrated on the Tu Ora Compass’s computer system. As officials try to contain the damage, it raises – yet again – some damaging questions about the cyber security of Government agencies in New Zealand.

I have long thought that New Zealand has been too slack with data security in Government agencies. It is a recurring problem that has at some point or another affected Inland Revenue Department, Accident Compensation Corporation, Department of Work and Income, to name just a few. All of these agencies have been breached in the last decade, with some of the breaches involving thousands of files being misused or misplaced.

But back to what I think might be one of the biggest data hacks in all New Zealand history. Whilst it is good that the Chief Executive has apologized, it is not enough and there are major failings. Glaring questions need to be rapidly answered by the Ministry, the Chief Executive and those responsible for the maintenance of the data. Very quickly the Chief Executive must find out what steps can be immediately taken to tighten up the security of M.o.H. systems and equally quickly the M.o.H. system administrators must action those recommendations.

The breach appears to affect the lower North Island, particularly people in Wellington, Kapiti Coast  and Wairarapa. 648,000 are thought to be affected, but given the data goes back over a decade and includes people who have deceased, the number of affected patients might be close to 1 million people.

Ministry of Health have to own this incident. If they cannot, Chief Executive Martin Hefford should hand his resignation in, for it was his responsibility to make sure M.o.H. had the correct procedures and personnel.

New Zealanders should be short on  patience with Government agencies treating cyber security so poorly as to let this happen. But I have the feeling that after a brief burst of indignation, people will merely shrug their shoulders and life will carry own as if it never happened. The agencies will heave a sigh of relief and say “we got through that one – I am sure we will be fine in the future”, instead of holding those who failed in their roles to account.

It is this kind of resigned behaviour, touched with a bit of “She’ll be right”, implying things will sort themselves out instead of New Zealanders ensuring that the situation before them improves that prevents this nation getting better. We can be a lot better at these issues, but until we start dragging officials over the coals for indiscretions there will not be any progress.

Tuia privacy breach reminiscent of National-era breaches

It has come to my attention that the database handling the registrations of people and organizations wishing to participate in the Captain Cook 250th Anniversary was breached.

Officially this one was put down to a “coding error” in the website.  But in the last couple of days it has emerged that the website provider was not on the list of approved providers for Government departments, which according to Labour M.P. Priyanka, has since changed. Prime Minister Jacinda Ardern has since made a rule that only those providers on a list vetted and approved

The Chief Executive of the Ministry of Culture and Heritage, Bernadette Cavanagh must be aware that her future in the role is severely tainted by this failure. The fact that she has not been shown the door or had it formally suggested to her may be because – although quite serious – this is at the lower end of the scale of privacy breaches when recent examples are brought to light.

The more serious breaches I am thinking of are a slew that affected several Ministries and Departments during the National-led Government of Prime Minister John Key. Thousands, if not tens of thousands of people were affected. Under that Government there were notable breaches at Ministry for Social Development including its umbrella agency Work and Income New Zealand; Accident Compensation Corporation and others.

Some of the breaches affected some of our most vulnerable people – victims of domestic violence, handicapped children and people with terminal illnesses. In at least one instance it was put down as an “operational matter”, which I deduced was political speak for internal issue or more to the point: “none of your business”. No one in a senior management role was fired though the case certainly existed for their departure.

So, what could be done to prevent further breaches in the future. Several things actually:

  1. Regularly check who has what access rights to particular information
  2. Ensure that multiple layers of increasing security are in place, cutting off certain groups or individuals when their access rights fail to meet a certain threshhold
  3. Require password changes to not be simple ones like password123
  4. Install software to monitor potential outside attacks

Much of this is actually just plain common sense. But the number of large companies, government organizations and so forth where pass words are as weak as the example above is probably likely to surprise. Use a pass word that is something like !computer0 – the use of numerical digits and special characters significantly complicates the process of cracking a password for a hacker. A method of getting everyone to change their password on a regular basis could be to set a expiry mechanism that means after a given time – say a month – the password simply stops working and a new one has to be established.

Make sure your anti virus software is working. If you have Windows 10, the default Windows Defender is considered adequate for what most people are going to use their computer for. W.D. is known to clash with exotic anti-virus software such as Bitdefender, or Norton Antivirus and may slow your machine down if it finds itself competing with one.

New Zealand needs to draw a line on New Zealander’s privacy

New Zealander’s spend much of their internet time using the services of a few very large tech giants. Facebook, Amazon, Google, Microsoft, Yahoo! are some of them.

I am no exception. I have this blog, which requires an e-mail account, which I have with G-Mail. I have a Facebook page for this blog as well as my own private profile. I have a Twitter profile. Across the course of my presence on the internet, I have downloaded applications from Google Play, both free and otherwise.

In order to supply those services and products it is understandable that they will need to store some basic data about their users. They will need to know that their users are verified and not some sort of computer bot. They will need data specific to the types of services and products they supply.

What is not so easily acceptable – and which should be the subject of honest, robust debate – is whether these companies should be able to build up a vast profile of ones internet footprint. Below is an example from Britain of how Google was able to do so.

A contributor to The Guardian wrote an article a few months ago about how much Google and Facebook for example were able to store about him. The results he found were rather startling. Google was able to store every single search, purchase, e-mail sent/received, app downloaded that he had done for nearly the last 10 years, in his case dating back to 2009. At the time of him publishing the article Google had 5.5 gigabytes of information about his activities.

A few weeks ago I deleted my Google + accounts. Aside from having barely used them since they were formed, wanted to reduce the footprint across which Google could collect data about me. Yesterday I became aware of how to check Google’s knowledge of the ads it displays that one might have clicked on – deliberately or accidentally. Over the next few days I am going to see how far I can reduce my Google Ads footprint.

Google is not the only tech company I am trying to reduce my online profile with. Facebook, long accused – justifiably so – of being in breach of the privacy laws of various national jurisdictions, has been issued ultimatim’s to fix the breaches and demonstrate having done so, for face sanctions.

In my case I have removed photos from prior to 2016. I have family and friends who used to be quite active on Facebook, who have stopped posting and have simply walked away from their accounts. Others have deleted their accounts outright when they have concluded that Facebook has access to too much of their private lives.

I am but a gnat against the likes of Google and Facebook, but I honestly believe that if first world nations made these companies respect their privacy laws, there might be a fighting chance of an overall sea change in how these companies view the world. If New Zealand took a stand and told these companies they would face sanctions for non-compliance, their contemptuous outlook might change. It would have a precedent to follow – other nations have already attempted to lay down the law to Facebook. How long before they try it on Google and the others?

Hopefully not long.


Body scanners coming to New Zealand: Overkill or good?

After a trial that has been conducted at Wellington Airport, Advanced Imaging Technology (A.I.T.) is going to be rolled out at key airports across New Zealand.

The civil libertarian in me has some concerns about how invasive the imaging will be. Will it pick up full body contours, or will it pick up just an outline of ones body and mark on it anything that appears suspect? Will the imagery be erased once the person going through the scanner is dealt with, or will it be kept on record somehow?

I personally find it frustrating that other countries are somehow dictated too by Federal Aviation Authority rules. When one reads signage on aircraft, even in New Zealand it will often refer to the F.A.A. To me the F.A.A.’s jurisdiction starts/ends at the United States border and that the authority I should be answering to is our own Civil Aviation Authority.

Yes, I realize that aviation has not been the same since 11 September 2001. Yes I realize that peoples perceptions of safety as well as airlines perceptions of safety were never going to be the same after that day. But why should other nations succumb to America’s paranoid obsession with all things “security” in the context of national security, especially when so many of America’s national security issues are of their own making?

But okay. The flip side of the coin is somewhat different if the supposed benefits can be proven. And Aviation Security (AVSEC) are meant to keep our airports as safe as they reasonably can. If the images detect narcotics, guns that police officers forgot to take off their belt when they went through, the plastic knife that may have been put in for some other reason and completely forgotten about, and so on then, yes they are doing their job.

If it means someone who planned to enter the waiting lounge and shoot the place up, is stopped, then the scanners have paid their way.

Perhaps I should be more lenient. New Zealand customs and AVSEC officers are not like their Canadian and American counterparts. Generally New Zealand border and airport security are much more friendly, polite and helpful. They don’t hiss like snakes, which I experienced in Los Angeles last year. If an AVSEC officer is over zealous, his/her colleagues are more likely to pick up on the problem and perhaps rein their wayward colleague in.

So, the question I pose is quite a simple, yet fundamental one in the context of border security:

Is it over kill to have full body scanners at New Zealand airports? If yes, why? If not, why not?

Let the debate begin.

Overhauling democracy in New Zealand

Despite the insistence of the political parties in Parliament saying otherwise, I have the distinct impression that New Zealand democracy is under attack. There are some good reasons for saying this. One good example the number of Bills of Parliament that have been forced through under urgency when there was no legitimate case. Urgency and extraordinary urgency to me should only be used when a law may be about to  expire, or situation exist where a rapid legal change is necessary to avoid significant and immediate adverse effects.

New Zealand once had a bicameral Parliament, that is a two level Parliament from 1852, which as established under the Constitution Act of that year. The lower house was known as the General Assembly, and the upper one as the Legislative Council. It was abolished in 1951 when Parliament became the current unicameral structure known today.

I believe that there is a case for restoring the bicameral legislature. However before that happens, the 1997 referendum on reducing New Zealand’s Parliament size to 100, which turned out 83% support should be honoured. The reduced number of Members of Parliament can make way for perhaps an upper house with two senators from each province. To enable this, there would need to be a binding referendum asking New Zealanders whether or not they support a bicameral Parliament.

A Parliamentary priority should be the entrenching of the Human Rights Act, Privacy Act and Constitution Act. I say this on the grounds that concerns about potential terrorist activities, changes in technology – particularly drones and smart phones – are potentially eroding ones liberty. Dictatorships and terrorism both win when people are fearful and willing to let Government run roughshod over established rights in supposed pursuit of justice. It is also said because there will always be a small minority of people with a malicious intent when they purchse devices capable of storing significant data or prying on others.


In light of recent proposed changes to local governance legislation, and experiences of Canterbury and Auckland where the elected Regional Council was replaced – or in Auckland’s case, disbanded completely – it is time for legislative change. The Local Government Act, 2002 needs to be strengthened so that the only way an elected Council can be voted out is either at the end of the three yearly election cycle, or via a recall vote. It is common knowledge that a Wellington based bureaucrat will never have certain knowledge about regional planning and governance issues, because that is vested in the local population – which most probably does not reside in Wellington.

Without depriving ourselves of a working law enforcement and national security apparatus, New Zealanders need to know that there are checks and balances in place to make sure Mr Dinosaur does not eat Ms Liberty. These steps would go some way towards achieving that and also improving our image as a democratic nation.