He Puna Taimoana hot pools in New Brighton, Christchurch (Design: Tina Tiller)

OPINIONSocietySeptember 9, 2022

No, the Christchurch hot pools weren’t ‘hacked’ – the council just messed up

Contributing writer

He Puna Taimoana hot pools in New Brighton, Christchurch (Design: Tina Tiller)

It’s much easier to claim you’ve been hacked than to ‘fess up to failing to protect customer data, writes Dylan Reeve.

If there’s one important thing to know about modern computing, it’s probably this: security is hard.

In some ways internet security is easier now than it’s ever been – we have built-in antivirus; our home internet connections are usually pretty safely firewalled; most of the big websites we use have entire departments filled with well-trained geeks keeping things secure.

But also we’re in a time where everything is online. Hell, some car companies are using our ubiquitous always-online reality to turn things like heated seats into monthly subscriptions.

While getting stuff on to the internet is easier now than ever before, it’s also, therefore, easier to screw that up somehow. And that appears to be what happened to Christchurch City Council’s He Puna Taimoana hot pools.

The Stuff article about this issue, headlined ‘Computer hacker steals sensitive information from 20,000 Christchurch hot pools customers’, illustrates how the facts can be obfuscated when information security is covered those who – through no fault of their own – lack the specialist knowledge to fully understand what’s going on.

A better headline for their article would have been ‘Christchurch City Council organisation leaves sensitive information from 20,000 customers unprotected online’.

I’ve written before about organisations crying “hacking” when they make mistakes that see their information shared more widely than they intended, and headlines about this latest situation, based on public statements from the council, did just that.

For some reason, it would appear the council-owned pools had been using a system that puts important files in “the cloud” – the nebulous term we use for stuff we store on the internet in a way we don’t really understand – and due to, presumably, some type of configuration error, more than 20,000 files (some containing sensitive personal information like passport details) were accessible to anyone who knew, or could figure out, where to look.

Why, exactly, was a council swimming pool storing sensitive personal data about their customers? Well it’s not immediately clear exactly what data was being stored online, but being a council facility, the complex offers discounted rates to local residents, for which proof of address and identity may be required. Part of this process can be completed online through the pool’s website, and requires the submission of a “proof of address”.

We live in a world of digital technology, and cheap storage, so it is often easy for organisations, when designing systems like this, to simply say, “oh, we’ll just store it all in case we need it later”. So, rather than just sighting the records in question, they’ll take a copy and hold on to them in case they want to double check later. Under New Zealand privacy law, organisations are only allowed to collect information they need for a lawful purpose, and they have an obligation to protect the information they collect. But many don’t think about whether they need to actually store all that they collect beyond the very moment it’s needed.

Spoiler: this data wasn’t ‘hacked’ either

In general, storing stuff online is easy and cheap now. You can signup for an account with Microsoft Azure, Amazon Web Services or Google Cloud in just minutes, and there are countless ways to integrate existing software tools with those services. This ease of setup is also an ease of screw-up, however, and it’s simple to make a configuration mistake that might open your data to anyone who stumbles upon it.

But we also live in a time where irresponsibly handling customer data is frowned upon so, like many before them, the council decided to frame their mistake in this instance as the malicious action of someone else.

The Stuff article about the incident describes the event as “hacking” which is certainly how the council would like the situation understood, and says, in the opening paragraph, “information about as many as 20,000 members of the public has been stolen in a data breach”.

But a detailed post from US data breach news website, DataBreaches.net, which first notified the council about the issue, describes the situation very differently, explaining that a researcher had stumbled upon the unsecured “blob” (a general file storage container) on Microsoft’s Azure cloud service and attempted to notify the council without response before reaching out to DataBreaches.

In this instance the council had been relying on “security by obscurity”, essentially the idea that something is secure just by being hard to find – sort of like putting your life savings under a mattress, instead of a safe, on the grounds that no one is likely to look there.

Unfortunately for the council (and literally tens of thousands of other organisations worldwide which have made the same mistake), the contents of their unsecured storage had been discovered and indexed by at least some specialist search engines online that are used by both white hat (ethical) and black hat (criminal) hackers for research and exploitation.

The initial researcher, and subsequently DataBreaches, downloaded only enough data from the cloud service to understand what was stored there and by whom, and then made good faith efforts to contact those responsible for the issue so they could correct it.

However in his email to affected customers, Christchurch City Council head of sport and recreation, Nigel Cox, said that a third party, which he accurately described as a “white-hat hacker” had “accessed and illegally downloaded files stored on the He Puna Taimoana cloud server”, suggesting a level of illicit activity that simply wasn’t present, and also subtly avoiding the question of the council’s culpability for failing to secure the data.

The article about the issue from DataBreaches concludes with this summary:

The council should have disclosed this incident by saying, “We screwed up and didn’t lock down all the files we had with your personal information. We’re sorry for that and embarrassed. Thankfully, a kind and ethical researcher discovered our mistake, and when they couldn’t reach us to alert us, they asked a journalist they trusted to make the notification. The researcher and their employer destroyed all the data they had downloaded.”

Organisations of all sizes need to take the time to understand the implications of the technologies they’re relying on, and when they (almost inevitably) screw something up, they should be up front with their customers and the public about what happened. Similarly, journalists who are covering the complex world of IT and information security should take the time to check with subject matter experts before taking an organisation’s word for it that they were “hacked” – because most of them would much prefer that framing over “screwed up”.

Keep going!

Image: Archi Banal

OPINIONSocietySeptember 7, 2022

Five tools for making NZ ‘tough on crime’ – the right way

Andrew Grant

Guest writer

Image: Archi Banal

The evidence is clear: harsher sentences don’t actually deter crime in any meaningful sense. So what does work? Lawyer Andrew Grant has some suggestions.

Aotearoa in 2022 has a crime problem.

Instances of violent crime have increased by 30% from pre-pandemic levels. “Ram raid” incidents, probably the most publicised pattern of criminal activity in New Zealand in 2022, have more than doubled over the past 12 months. Business owners, parents and ordinary New Zealanders are justifiably scared.

The frequent reaction to a rise in criminal activity is to clamour for the government to “get tough on crime”. I’ve heard it frequently during my career as a lawyer in New Zealand and the United States. Usually, it means a call for harsher sentences for offending and a more aggressive approach to prosecution. Political figures of all stripes have advocated for these measures in 2022, on the basis that they would remove ram raiders from society and keep violent criminals off our streets. This, they say, makes us safer.

The problem is that, in anything more than a very short-term sense, it doesn’t.

The evidence from around the world tells us that imposing longer prison sentences for offenders, particularly those under 25, does not cause crime rates to fall. As the US-based National Institute of Justice found in 2016, harsher punishments usually have no deterrent effect on young would-be criminals. In fact, longer prison sentences often cause crime rates to rise over time, such is the effect imprisonment has on those consigned to it.

It’s not hard to imagine why that is. If a young person, particularly one already at a socio-economic disadvantage, commits a crime out of youthful stupidity, locking that person up for an extended length of time is likely to be disastrous. Educational or job opportunities will probably not be there when they get out, and they’re bound to become disengaged from whatever might have previously kept them on the straight and narrow in the outside world.

Most consequentially, they’ll be exposed to other prisoners who will contribute only to their sense of bitterness at the system. They’ll be taught how to be a worse, more hardened criminal. Once that young person rejoins the outside world, usually with no support, the commission of further and worse crime is the obvious result. We are all then much less safe.

Is there a better way? I think so. Being “tough on crime” really means addressing the causes of crime, and preventing repeat offending. It means stopping criminal activity at its source, and rehabilitating those who do offend, particularly at a young age, back into society.

Here are five ways to do that:

Increasing police resourcing and training. The National Institute of Justice research tells us that while the prospect of tougher sentences is not a deterrent to people breaking the law, an increased chance of getting caught certainly is. We need to increase police numbers, train them well and back them with better resources.

More funding for organisations to ensure our kids get to school regularly. Fewer than 60% of teenagers now regularly attend school in New Zealand. The connection between truancy and crime among high school students is clear and obvious. Organisations like Community Patrol New Zealand, as well as the Māori and Pasifika Wardens, do so much good in our communities. They are well-placed to partner with the government to ensure our kids get to class and stay out of trouble.

More funding for early-intervention mental health support in the criminal justice system. There is a strong link between poor mental health and criminal activity. Compulsory mental health support as part of a corrective sentence gives offenders a significantly better chance of getting on the right path after they do their time.

Compulsory vocational training as part of more custodial sentences. One of the key problems with sending young people to prison is the complete absence of options they have to contribute to society once they’re out. Work drastically reduces the chances of repeat offending and more importantly, gives dignity.

Funding for post-sentence pastoral support. Custodial sentences are isolating experiences, and tossing a person back into the community with no support system once they’ve served their time makes it much more likely that they’ll turn to crime again. Look at the prevalence of 501 deportees in the Auckland CBD if you don’t believe me. Funding for community-based support people and mentoring at organisations like the Citizens Advice Bureau, local marae and the Auckland City Mission would provide much-needed guidance to people integrating back into society.

All of this has echoes of a “social investment” approach to criminal justice. Advocates of social investment know that its application to areas like criminal justice not only makes us a safer and happier country, but also has a strong economic case behind it.

The evidence is clear that if we keep treating the justice system as a tool for punishment and isolation, the bill for taxpayers in policing, prosecuting and incarcerating people over and over again will only increase over time. Corrections estimates that it costs roughly $150,000 to keep someone in prison for a year in New Zealand. It costs even more per person to run New Zealand’s courts system, which is well beyond capacity as it is. Police expend countless resources on violent, recidivist crime. The health system suffers, too.

By contrast, putting more money into well-trained police, mental health support and vocational training in prisons will dramatically reduce the cost of crime in the long run. Quite simply, fewer people would commit fewer crimes that cost the taxpayer money. Those who would otherwise be engaged in repeated criminal behaviour are instead far more likely to hold down jobs, pay tax and contribute to New Zealand.

There are, of course, exceptions. But for the most part, use of the five tools above would drastically improve criminal justice outcomes in New Zealand. Fewer people would offend, and fewer victims would feel the effects of their offending.

That’s really getting “tough on crime”.