Reports of a potentially serious security breach in Ministry of Justice database systems are wrong, the ministry's deputy secretary organisational development and support, Rose Percival says.
"There has been no privacy breach and no release of private information," she says.
However, Opposition ICT spokesperson Clare Curran insists, after a second informant contacted her, that confidential files are open to intrusion.
"What has occurred," Percival says of the first alleged breach, "is that someone has accessed an administrative file in a ministry website.
"This isn't a member of the public inadvertently finding information. It appears to be about someone with IT skills deliberately trying to get into a ministry IT system -- the site where people apply to become licensed security guards."
A report alleging a hole which allowed a user to get across from a public sector of the Ministry's website to access a password list was conveyed by the discoverer of the flaw to Curran, who is not disclosing the informant's identity.
An initial impression that the databases covered licences and fines led Curran to suggest "those databases would likely include the personal details of many victims of crimes." But this is not correct, Percival says.
The initial vulnerability brought into view a file of passwords in plain text, which it was believed could in turn be used to access the database. The whistleblower who informed Curran did not themselves try to access the database, but only viewed the password list.
Justice Minister Judith Collins says the passwords in the breached file could only have been used to access databases from within the ministry
"The ministry does not want anyone to be alarmed and is concerned that these claims are being made," Percival says. "The ministry takes information security seriously and has extensive systems and multiple layers of security in place to ensure this.
"The system in question is isolated and protected by firewalls that control access to other ministry systems," Percival says. "The ministry does not believe the person could have used the information in the administrative file to access other ministry systems or information.
"The ministry has identified how the person accessed the administrative file and has closed the affected website while it addresses this issue. It will be running again as soon as testing of the changes is complete.
"Unfortunately, no website, just like no building, is completely secure if people are determined to get into it," Percival says.
However, Curran still insists there are serious holes in the ministry's security. "A second person has this afternoon come forward and said that significant flaws in the ministry website allowed easy access to more than 63,000 documents via the Tenancy Tribunal section of the website," she says.
Sign up for Computerworld eNewsletters.