1
00:00:05,320 --> 00:00:05,760
Speaker 1: Kyoda.

2
00:00:05,840 --> 00:00:08,840
Speaker 2: I'm Chelsea Daniels and this is the Front Page, a

3
00:00:08,920 --> 00:00:16,720
Speaker 2: daily podcast presented by the New Zealand Herald. A major

4
00:00:16,880 --> 00:00:21,480
Speaker 2: online security breach has raised questions about how safe our

5
00:00:21,560 --> 00:00:23,960
Speaker 2: private information is online.

6
00:00:24,560 --> 00:00:26,560
Speaker 1: Manage my Health's health.

7
00:00:26,320 --> 00:00:30,280
Speaker 2: Portal systems were compromised over the new year, putting the

8
00:00:30,400 --> 00:00:35,520
Speaker 2: data of over one hundred and twenty thousand users at risk. Later,

9
00:00:35,760 --> 00:00:40,120
Speaker 2: we'll check in with internet security expert black Veils Adam Burns,

10
00:00:40,159 --> 00:00:44,520
Speaker 2: who immediately identified flaws in the website, which isn't unusual

11
00:00:44,600 --> 00:00:46,000
Speaker 2: for Kiwi domains.

12
00:00:46,240 --> 00:00:47,840
Speaker 1: But first on the front.

13
00:00:47,520 --> 00:00:51,199
Speaker 2: Page ends at Herald's senior reporter, David Fisher, has been

14
00:00:51,240 --> 00:00:54,640
Speaker 2: following the breach and will break down what happened and

15
00:00:54,760 --> 00:00:56,000
Speaker 2: who is behind it.

16
00:01:00,040 --> 00:01:01,800
Speaker 1: So David, let's start at the beginning.

17
00:01:02,040 --> 00:01:06,600
Speaker 2: What exactly happened in the Manage my Health breach and

18
00:01:06,080 --> 00:01:07,320
Speaker 2: what even is it?

19
00:01:07,520 --> 00:01:13,560
Speaker 3: To Manage my Health is a patient health information database

20
00:01:13,680 --> 00:01:19,600
Speaker 3: connection point where health services can upload and put information

21
00:01:19,800 --> 00:01:24,520
Speaker 3: specific to an individual's account. Of patient's account, I, for example,

22
00:01:24,600 --> 00:01:27,919
Speaker 3: have a Managed my Health account. I get a regular

23
00:01:27,959 --> 00:01:30,840
Speaker 3: blood test done and the lab results they get posted

24
00:01:31,040 --> 00:01:33,800
Speaker 3: in the Manage my Health account for me to see

25
00:01:33,800 --> 00:01:35,720
Speaker 3: them at the same time as the doctor does, right.

26
00:01:35,760 --> 00:01:37,520
Speaker 2: And it's kind of one of those things where like

27
00:01:37,560 --> 00:01:40,640
Speaker 2: if you need another prescription field or something, you just

28
00:01:40,760 --> 00:01:43,280
Speaker 2: log in to Manage my Health and ask for another prescription.

29
00:01:43,400 --> 00:01:44,039
Speaker 1: Stuff like that.

30
00:01:44,680 --> 00:01:46,920
Speaker 4: The idea is that you automate everything.

31
00:01:46,959 --> 00:01:50,080
Speaker 3: Yeah, and some parts of the country don't have quite

32
00:01:50,120 --> 00:01:53,480
Speaker 3: so much technology wrapped around their health services. North And

33
00:01:53,520 --> 00:01:56,120
Speaker 3: for example, I suspect it's been particularly hard hit because

34
00:01:56,120 --> 00:02:01,080
Speaker 3: that's the case there. The idea is to collect all

35
00:02:01,120 --> 00:02:03,640
Speaker 3: the information that a patient needs to know and that

36
00:02:03,680 --> 00:02:06,840
Speaker 3: their medical professionals need to know in one place, and

37
00:02:06,880 --> 00:02:11,040
Speaker 3: it's a widely used service too. Manage my Health on

38
00:02:11,400 --> 00:02:15,680
Speaker 3: its landing page on its web page says it is

39
00:02:16,919 --> 00:02:20,600
Speaker 3: trusted by one point eight million New Zealanders to look

40
00:02:20,639 --> 00:02:21,800
Speaker 3: after their health records.

41
00:02:21,960 --> 00:02:24,440
Speaker 2: Right, So this latest breach, tell me a little bit

42
00:02:24,480 --> 00:02:26,840
Speaker 2: about it, How did it come about and how many

43
00:02:26,919 --> 00:02:29,120
Speaker 2: people are potentially affected.

44
00:02:29,880 --> 00:02:32,120
Speaker 3: First sign of the breach was picked up by Managed

45
00:02:32,160 --> 00:02:36,600
Speaker 3: my Health on December thirty and they realized or recognized

46
00:02:36,639 --> 00:02:42,440
Speaker 3: that they had had unauthorized access to their platform. That

47
00:02:42,960 --> 00:02:47,760
Speaker 3: suspicion became concrete the day after December thirty one, when

48
00:02:47,840 --> 00:02:53,760
Speaker 3: Managed my Health received and email from somebody who had

49
00:02:53,880 --> 00:02:58,880
Speaker 3: claimed they had a leak. They posted a sample of

50
00:02:58,919 --> 00:03:01,760
Speaker 3: the documents that they claimed have been leaked to them

51
00:03:02,440 --> 00:03:06,160
Speaker 3: on a site where these things are posted, and they said,

52
00:03:07,040 --> 00:03:10,680
Speaker 3: we'll keep it quiet and the documents will never see

53
00:03:10,720 --> 00:03:13,519
Speaker 3: the light of day if you give us sixty thousand

54
00:03:13,560 --> 00:03:14,560
Speaker 3: dollars us What.

55
00:03:14,639 --> 00:03:17,079
Speaker 1: Kind of information are we talking about here?

56
00:03:17,960 --> 00:03:24,960
Speaker 3: So the sort of information is quite specific actually, and

57
00:03:25,520 --> 00:03:26,760
Speaker 3: where you're going to manage my health.

58
00:03:26,800 --> 00:03:29,120
Speaker 4: There's a range of different.

59
00:03:30,919 --> 00:03:33,040
Speaker 3: Menus that you can click on, for example, the lab

60
00:03:33,120 --> 00:03:35,920
Speaker 3: results one which I mentioned earlier for me, and prescriptions

61
00:03:35,960 --> 00:03:39,360
Speaker 3: and so on. But there's also a part of the

62
00:03:39,360 --> 00:03:44,360
Speaker 3: website which deals with clinical documents, and these documents that

63
00:03:44,880 --> 00:03:49,200
Speaker 3: are scanned and then uploaded onto the site. So this

64
00:03:49,280 --> 00:03:52,400
Speaker 3: is the part that was hit. Managed by Health says

65
00:03:52,560 --> 00:03:55,360
Speaker 3: it's about six to seven percent of the users that

66
00:03:55,400 --> 00:03:59,400
Speaker 3: were affected by this. That works out to be between

67
00:03:59,400 --> 00:04:02,800
Speaker 3: one hundred many one hundred and thirty thousand people in

68
00:04:03,000 --> 00:04:05,960
Speaker 3: court filings to get the injunction to suppress the information

69
00:04:06,920 --> 00:04:09,160
Speaker 3: Manage my Health site at one hundred and twenty seven

70
00:04:09,240 --> 00:04:13,040
Speaker 3: thousand people. So the type of information that gets scanned

71
00:04:13,280 --> 00:04:18,640
Speaker 3: that you could find on there is clinical discharge summaries,

72
00:04:19,200 --> 00:04:24,960
Speaker 3: referral notices to specialists. There could be historical referral records,

73
00:04:25,720 --> 00:04:31,000
Speaker 3: information that patients have uploaded themselves that they want other

74
00:04:31,040 --> 00:04:38,320
Speaker 3: medical specialists to see. It could also have diagnoses of

75
00:04:38,360 --> 00:04:42,720
Speaker 3: your situation. It can have medical histories, there care plans,

76
00:04:42,960 --> 00:04:47,279
Speaker 3: dates of birth addresses, other personal information. If it is

77
00:04:47,320 --> 00:04:49,680
Speaker 3: the case as it is in the region of New

78
00:04:49,720 --> 00:04:53,280
Speaker 3: Zealand that I live, and that your health services aren't

79
00:04:54,120 --> 00:04:58,120
Speaker 3: particularly joined up. In a technical sentence, you're more likely

80
00:04:58,160 --> 00:05:03,440
Speaker 3: to have uploads like that happened, where your medical professional

81
00:05:03,520 --> 00:05:06,000
Speaker 3: will produce a letter that might be said to you

82
00:05:06,040 --> 00:05:07,880
Speaker 3: in the post, but they will also scan it and

83
00:05:08,000 --> 00:05:09,880
Speaker 3: upload it and to manage my health.

84
00:05:10,200 --> 00:05:12,560
Speaker 4: That's the information that's been taken.

85
00:05:13,279 --> 00:05:16,760
Speaker 2: Yeah, and you mentioned that Northlanders are particularly badly hit.

86
00:05:18,040 --> 00:05:18,680
Speaker 4: Yeah, that's right.

87
00:05:19,240 --> 00:05:24,400
Speaker 3: The thought is that it's about eighty five thousand I think,

88
00:05:24,440 --> 00:05:26,320
Speaker 3: with a number of people in Northland that were said

89
00:05:26,360 --> 00:05:30,440
Speaker 3: to be affected by this, that is a hugely disproportionate number.

90
00:05:30,560 --> 00:05:35,719
Speaker 3: And I've not seen in explanation as to why that

91
00:05:35,839 --> 00:05:38,760
Speaker 3: might be, but I do suspect that it is that

92
00:05:38,880 --> 00:05:48,160
Speaker 3: gap in technology Northland healthcare. It's stretched, it's very stretched,

93
00:05:48,200 --> 00:05:51,960
Speaker 3: and it has been for a very long time, and

94
00:05:52,279 --> 00:05:54,240
Speaker 3: it is hard for GPS to make a go of

95
00:05:54,279 --> 00:05:57,200
Speaker 3: a surgery up here. It's hard for surgeries to get

96
00:05:57,240 --> 00:06:01,080
Speaker 3: GPS to work at them. A lot of the infrastructure

97
00:06:01,120 --> 00:06:04,279
Speaker 3: is quite aged and quite dated. So to my mind,

98
00:06:04,320 --> 00:06:07,560
Speaker 3: that would lend itself to a scenario where more information

99
00:06:07,720 --> 00:06:11,800
Speaker 3: was produced in hard copy and then uploaded, sort of

100
00:06:12,080 --> 00:06:15,640
Speaker 3: kind of like talking to your parents about how to

101
00:06:15,680 --> 00:06:21,280
Speaker 3: do email stuff where they will write up a letter

102
00:06:21,279 --> 00:06:23,360
Speaker 3: on a computer, print it out, scan it, and then

103
00:06:23,400 --> 00:06:25,000
Speaker 3: attach it to an email and send it to you.

104
00:06:25,160 --> 00:06:28,279
Speaker 2: Oh no, my mom takes photos of things and sends them.

105
00:06:28,120 --> 00:06:31,640
Speaker 4: To me, exactly that kind of thing.

106
00:06:32,920 --> 00:06:35,440
Speaker 2: What do we know about this group or the people

107
00:06:35,800 --> 00:06:38,560
Speaker 2: that are responsible for this hack or say that they're

108
00:06:38,560 --> 00:06:39,680
Speaker 2: responsible for this hack?

109
00:06:40,520 --> 00:06:41,600
Speaker 4: So the person that.

110
00:06:43,160 --> 00:06:47,719
Speaker 3: Individual that has claimed responsibility is an individual called Kazoo

111
00:06:48,560 --> 00:06:49,640
Speaker 3: ka Zu.

112
00:06:50,279 --> 00:06:53,800
Speaker 4: That's a handle rather than a name. They say that

113
00:06:54,200 --> 00:06:56,360
Speaker 4: they are an individual rather than a.

114
00:06:56,320 --> 00:07:00,800
Speaker 3: Group in that that handle is relatively it's only been

115
00:07:01,040 --> 00:07:06,200
Speaker 3: in existence for the last six months. And I contacted

116
00:07:06,600 --> 00:07:10,760
Speaker 3: the person claiming to be that hacker, interviewed them via

117
00:07:11,080 --> 00:07:17,239
Speaker 3: a telegram the social messaging app, and they had said

118
00:07:17,320 --> 00:07:20,440
Speaker 3: that they had gone out on their own. Prior to that,

119
00:07:20,920 --> 00:07:25,320
Speaker 3: they operated by a different handle, and by inference we're

120
00:07:25,440 --> 00:07:28,120
Speaker 3: more a part of a collective back then. We do

121
00:07:28,240 --> 00:07:33,720
Speaker 3: know that they have been involved in other hacks or

122
00:07:33,760 --> 00:07:36,240
Speaker 3: that they have been the recipient of hacked information in

123
00:07:36,280 --> 00:07:36,720
Speaker 3: the past.

124
00:07:38,320 --> 00:07:39,760
Speaker 4: They've said to me that.

125
00:07:41,720 --> 00:07:46,720
Speaker 3: They have received payments for that and that it is

126
00:07:46,800 --> 00:07:51,080
Speaker 3: a viable business model for them, that they look for

127
00:07:51,440 --> 00:07:54,120
Speaker 3: health information as a particular thing that they do seek out,

128
00:07:54,200 --> 00:07:59,240
Speaker 3: and having sought that out, they say that it's not

129
00:07:59,360 --> 00:08:03,400
Speaker 3: unusual to their extract money as a result of having

130
00:08:03,440 --> 00:08:04,320
Speaker 3: obtained that information.

131
00:08:04,760 --> 00:08:06,880
Speaker 2: Yeah, and when it comes to the money, do we

132
00:08:06,920 --> 00:08:10,080
Speaker 2: have any idea if that sixty thousand US has been

133
00:08:10,080 --> 00:08:10,840
Speaker 2: paid out or not.

134
00:08:12,360 --> 00:08:12,960
Speaker 4: We don't know.

135
00:08:14,240 --> 00:08:18,840
Speaker 3: We do know that Kazoo claimed to be in negotiations

136
00:08:18,960 --> 00:08:24,720
Speaker 3: last week. I suspect that the time that was brought

137
00:08:24,720 --> 00:08:29,360
Speaker 3: for negotiations was probably more managed by Health's favor for

138
00:08:30,840 --> 00:08:35,760
Speaker 3: cybersecurity people to try and track down Kazoo, perhaps even

139
00:08:35,760 --> 00:08:36,520
Speaker 3: our GCSB.

140
00:08:36,679 --> 00:08:37,160
Speaker 4: Who knows.

141
00:08:38,320 --> 00:08:42,520
Speaker 3: But it's very often left unknown whether or not these

142
00:08:43,080 --> 00:08:48,760
Speaker 3: payments are made, and there have been places in the past,

143
00:08:49,840 --> 00:08:54,160
Speaker 3: not necessarily New Zealand, who have denied making payments and

144
00:08:54,160 --> 00:08:58,280
Speaker 3: then evidence has emerged later that they have done these

145
00:08:58,280 --> 00:09:01,960
Speaker 3: places are in a terror bind. One of the things

146
00:09:01,960 --> 00:09:05,400
Speaker 3: that was puzzling about the Kazoo hack was that the

147
00:09:05,440 --> 00:09:09,280
Speaker 3: amount of money was seen as very small for the

148
00:09:09,320 --> 00:09:13,680
Speaker 3: sort of information that was available. I'd talk to Kazoo

149
00:09:13,720 --> 00:09:18,160
Speaker 3: about that, and what was relayed back to me was

150
00:09:18,160 --> 00:09:20,560
Speaker 3: that that's part of the model. Don't make it too painful,

151
00:09:21,320 --> 00:09:26,200
Speaker 3: make it easy. And as that said to me, they're

152
00:09:26,240 --> 00:09:28,680
Speaker 3: only in it to make money. They don't want to

153
00:09:28,679 --> 00:09:32,360
Speaker 3: create obstacles with barriers that are going to get between

154
00:09:32,400 --> 00:09:33,800
Speaker 3: them and the cash that they're after.

155
00:09:33,960 --> 00:09:35,760
Speaker 2: It is a real catch twenty two, isn't it? Like

156
00:09:35,800 --> 00:09:38,920
Speaker 2: the whole thing? Do not negotiate with terrorists. So that's

157
00:09:38,920 --> 00:09:42,679
Speaker 2: probably a pretty good reason as to why we don't

158
00:09:43,160 --> 00:09:45,720
Speaker 2: say if we've paid or not, because then others around

159
00:09:45,760 --> 00:09:48,120
Speaker 2: the world would be like, hang on, New Zealand's a

160
00:09:48,160 --> 00:09:50,120
Speaker 2: place where they pay out pretty easily.

161
00:09:50,679 --> 00:09:55,240
Speaker 3: That's exactly right, and you become a target for further problems,

162
00:09:55,440 --> 00:09:58,480
Speaker 3: and that's not the kind of attention that we want.

163
00:10:04,880 --> 00:10:08,320
Speaker 5: Nothing is one hundred percent secure. We are secure to

164
00:10:08,400 --> 00:10:11,040
Speaker 5: the best of our knowledge, and we do all the

165
00:10:11,040 --> 00:10:17,440
Speaker 5: professional test which any industry assessment will make independently that

166
00:10:17,520 --> 00:10:20,959
Speaker 5: we were a secure software. I'm a victim of the hack.

167
00:10:22,480 --> 00:10:27,040
Speaker 5: My personal record is out there right, and so's lots

168
00:10:27,080 --> 00:10:31,840
Speaker 5: of my friends and families. I am deeply distressed that

169
00:10:31,960 --> 00:10:35,560
Speaker 5: this is out there and this has happened on software there.

170
00:10:36,480 --> 00:10:39,599
Speaker 5: Our company has worked pretty hard to serve deeple.

171
00:10:42,200 --> 00:10:44,480
Speaker 1: In terms of Manage my Health.

172
00:10:44,520 --> 00:10:47,920
Speaker 2: Manage my Health has described itself as a victim of

173
00:10:48,080 --> 00:10:51,640
Speaker 2: crime while also admitting that it did drop the ball.

174
00:10:52,160 --> 00:10:53,160
Speaker 1: Where do you see.

175
00:10:52,960 --> 00:10:56,760
Speaker 2: The line between being a victim and being responsible.

176
00:10:57,040 --> 00:11:00,480
Speaker 3: Well, the victims here are managed by Health's clients patients.

177
00:11:00,520 --> 00:11:05,439
Speaker 3: The one that the information belonged to Managed my Health

178
00:11:05,840 --> 00:11:10,440
Speaker 3: has in my view, created a situation where they have

179
00:11:10,520 --> 00:11:14,599
Speaker 3: been whacked. The Privacy Actor is pretty clear on this.

180
00:11:14,920 --> 00:11:18,760
Speaker 3: If you look after people's information, you are responsible for

181
00:11:18,840 --> 00:11:21,280
Speaker 3: creating an environment in which that information is going to

182
00:11:21,320 --> 00:11:24,440
Speaker 3: be safe. So that is your job, and that was

183
00:11:24,480 --> 00:11:27,439
Speaker 3: managed by Health's job. They should have created an environment

184
00:11:27,520 --> 00:11:31,880
Speaker 3: in which no hacker could get to that information. So look,

185
00:11:32,080 --> 00:11:35,480
Speaker 3: I'm very sad and sorry for Manage my Health. But

186
00:11:35,880 --> 00:11:40,480
Speaker 3: if Managed my Health was able to produce evidence that

187
00:11:41,520 --> 00:11:46,120
Speaker 3: they had a Fort Knox like security around patient information,

188
00:11:46,320 --> 00:11:48,920
Speaker 3: then that sympathy that I have might be a little

189
00:11:48,920 --> 00:11:53,240
Speaker 3: bit more than fleeting by sympathies with the patients. It's

190
00:11:53,280 --> 00:11:56,680
Speaker 3: with those people whose information has been obtained by others.

191
00:11:57,240 --> 00:11:59,880
Speaker 3: And I've spoken to people who have lost day believe

192
00:12:00,480 --> 00:12:06,959
Speaker 3: incredibly incredibly personal information and really are having trouble getting

193
00:12:07,000 --> 00:12:09,360
Speaker 3: through the day and sleeping at night as a result

194
00:12:09,400 --> 00:12:10,280
Speaker 3: of it being out there.

195
00:12:11,160 --> 00:12:13,280
Speaker 1: So where do we go from here?

196
00:12:13,760 --> 00:12:17,800
Speaker 3: There's a government investigation under way, as ordered by a

197
00:12:17,880 --> 00:12:21,520
Speaker 3: Ministry of Health Sibby and Brown, and there's also a

198
00:12:22,559 --> 00:12:25,360
Speaker 3: Officer of the Privacy Commissioner investigation under the way as

199
00:12:25,360 --> 00:12:27,760
Speaker 3: well that we'll be looking as to whether Manage my

200
00:12:27,840 --> 00:12:32,319
Speaker 3: Health met its responsibilities under the Privacy Act. In terms

201
00:12:32,360 --> 00:12:35,720
Speaker 3: of the investigation order by Simmy and Brown, I would

202
00:12:35,760 --> 00:12:39,600
Speaker 3: have thought that the Ministry of Health would have required

203
00:12:41,360 --> 00:12:45,400
Speaker 3: Managed my Health to meet some pretty stringent security standards

204
00:12:45,960 --> 00:12:48,040
Speaker 3: to be able to set up and run the business

205
00:12:48,080 --> 00:12:51,360
Speaker 3: that they have set up and run. If those weren't

206
00:12:51,480 --> 00:12:54,960
Speaker 3: part of the baseline expectation, and if there wasn't auditing

207
00:12:55,000 --> 00:12:57,679
Speaker 3: around that, then I think that question does come back

208
00:12:57,720 --> 00:12:58,400
Speaker 3: to the Ministry of.

209
00:12:58,400 --> 00:12:59,040
Speaker 4: Health as well.

210
00:13:00,120 --> 00:13:03,320
Speaker 3: You know, if we're going to allow a situation where

211
00:13:03,360 --> 00:13:07,600
Speaker 3: private providers can step in and take hold of what

212
00:13:07,800 --> 00:13:12,719
Speaker 3: has traditionally been a state job. Then they've got to

213
00:13:12,760 --> 00:13:15,680
Speaker 3: be held to really, really high standards, and we're going

214
00:13:15,720 --> 00:13:18,520
Speaker 3: to make sure that they're audited to ensure that they

215
00:13:18,559 --> 00:13:22,400
Speaker 3: stay at those high standards. So this business will have

216
00:13:22,480 --> 00:13:26,040
Speaker 3: quite a way to run in terms of accountability. In

217
00:13:26,160 --> 00:13:30,640
Speaker 3: terms of tracking down Kazoo, I think probably the same

218
00:13:30,760 --> 00:13:33,400
Speaker 3: chance as a snowball on any of the days that

219
00:13:33,400 --> 00:13:36,840
Speaker 3: we're having now. And for the patients and their private information.

220
00:13:38,400 --> 00:13:41,960
Speaker 3: Who knows Kazoo has said that if the money gets paid,

221
00:13:42,000 --> 00:13:46,000
Speaker 3: then that information will never be seen again. They do

222
00:13:46,120 --> 00:13:49,040
Speaker 3: have a track record of that, but that record is

223
00:13:49,080 --> 00:13:51,640
Speaker 3: only six months long. The other thing about it, too,

224
00:13:51,760 --> 00:13:55,640
Speaker 3: is that there's so much useful information in there to

225
00:13:55,840 --> 00:14:01,160
Speaker 3: other people of Kazoo's ilk, other people who will dates

226
00:14:01,160 --> 00:14:07,360
Speaker 3: of birth or travel information, passport information, address information, all

227
00:14:07,400 --> 00:14:12,280
Speaker 3: those personal indicators that they're incredibly, incredibly valuable because they

228
00:14:12,320 --> 00:14:16,000
Speaker 3: can be used to leverage other exploits that can earn

229
00:14:16,120 --> 00:14:21,320
Speaker 3: other people like Kazoo more money. So for those people

230
00:14:21,520 --> 00:14:26,560
Speaker 3: a very uncertain future in an ideal situation, not that

231
00:14:26,680 --> 00:14:29,600
Speaker 3: it is ideal. Perhaps manage my health paid the money.

232
00:14:29,960 --> 00:14:32,800
Speaker 3: Perhaps Kazu did what Kazoo said they would do and

233
00:14:32,840 --> 00:14:35,560
Speaker 3: deleted all the information and that's the end of it.

234
00:14:36,560 --> 00:14:40,600
Speaker 3: But those people that have been affected will not know that,

235
00:14:41,720 --> 00:14:44,200
Speaker 3: and they can never really be sure, and that's a deeply,

236
00:14:44,320 --> 00:14:47,480
Speaker 3: deeply unsettling thing for them.

237
00:14:47,720 --> 00:14:48,680
Speaker 1: Thanks for joining us.

238
00:14:48,680 --> 00:14:51,120
Speaker 4: David, Thank you Chelsea.

239
00:14:58,200 --> 00:15:01,920
Speaker 2: After the breach, Adam Burns of security company black Veil

240
00:15:02,080 --> 00:15:07,000
Speaker 2: voluntarily tested the website and app and found flaws in both.

241
00:15:07,440 --> 00:15:10,160
Speaker 2: He joins US now to break down what happened and

242
00:15:10,240 --> 00:15:13,400
Speaker 2: what companies can do better to protect themselves.

243
00:15:13,640 --> 00:15:17,520
Speaker 1: And you, So.

244
00:15:17,560 --> 00:15:21,960
Speaker 2: Adam, were there any warning signs or security gaps from

245
00:15:22,000 --> 00:15:24,440
Speaker 2: your point of view when it comes to manage my health?

246
00:15:25,200 --> 00:15:28,680
Speaker 6: From the research that I did and posted in the blog, Yes,

247
00:15:28,840 --> 00:15:32,720
Speaker 6: there were some big gaps that should have been plugged

248
00:15:32,920 --> 00:15:38,160
Speaker 6: a long time ago. These are basic fundamental DNS domain issues.

249
00:15:38,720 --> 00:15:41,680
Speaker 6: So yeah, there was a number of gaps that I

250
00:15:41,720 --> 00:15:45,840
Speaker 6: would consider them to be required for any organization, but

251
00:15:46,000 --> 00:15:50,920
Speaker 6: especially a health organization dealing with patient records and such.

252
00:15:51,160 --> 00:15:53,480
Speaker 1: And what kind of gaps? So you mentioned DNS.

253
00:15:54,840 --> 00:15:58,760
Speaker 6: Yeah, DNS stands for Domain Name system, So I'll just

254
00:15:58,800 --> 00:16:01,360
Speaker 6: explain real quick what that is. When you visit a

255
00:16:01,360 --> 00:16:05,520
Speaker 6: website on the Internet, you type a name like inzidherold

256
00:16:05,560 --> 00:16:09,920
Speaker 6: dot cot inz DNS. Server takes that name and converts

257
00:16:09,920 --> 00:16:12,600
Speaker 6: it into an IP address, so that's where the server

258
00:16:12,720 --> 00:16:18,600
Speaker 6: actually is. And yeah, DNS essentially without DNS, the Internet

259
00:16:18,680 --> 00:16:21,440
Speaker 6: does not work, so you can see how important it is.

260
00:16:22,720 --> 00:16:27,560
Speaker 6: And DNS also controls where how traffic is directed to

261
00:16:27,600 --> 00:16:31,840
Speaker 6: your website, how emails get to you, how users log in,

262
00:16:32,240 --> 00:16:34,960
Speaker 6: log out, all of those sorts of things. So the

263
00:16:35,000 --> 00:16:39,400
Speaker 6: gaps that I found are talking about email mostly email

264
00:16:39,440 --> 00:16:45,400
Speaker 6: security issues, and domain and website security issues, so pretty

265
00:16:45,480 --> 00:16:49,080
Speaker 6: key things to plug when you've got users logging into

266
00:16:49,400 --> 00:16:50,280
Speaker 6: a health portal.

267
00:16:51,280 --> 00:16:51,560
Speaker 1: Yeah.

268
00:16:51,640 --> 00:16:54,600
Speaker 2: And is that quite a common mistake or gap, I

269
00:16:54,640 --> 00:16:56,960
Speaker 2: suppose for websites in New Zealand.

270
00:16:58,520 --> 00:17:01,000
Speaker 6: Yeah, so I've done I did a lot of research

271
00:17:01,040 --> 00:17:03,760
Speaker 6: on this last year. I built a little app and

272
00:17:03,840 --> 00:17:08,320
Speaker 6: stuck it on the dot nz tldtld sands for top

273
00:17:08,400 --> 00:17:12,119
Speaker 6: level domain. I ran it for about six weeks, collected

274
00:17:12,359 --> 00:17:15,760
Speaker 6: only maybe two and a half thousand domains worth of information,

275
00:17:15,960 --> 00:17:19,480
Speaker 6: but over half of those domains had these exact problems,

276
00:17:19,480 --> 00:17:23,320
Speaker 6: so it's not it's not an uncommon issue. That is

277
00:17:23,359 --> 00:17:26,680
Speaker 6: super common, and it is not just a New Zealand

278
00:17:26,720 --> 00:17:29,840
Speaker 6: problem either. I've extended my research beyond that too.

279
00:17:30,600 --> 00:17:30,760
Speaker 4: Well.

280
00:17:30,800 --> 00:17:34,840
Speaker 6: I've actually covered fifty one countries now with the agent

281
00:17:34,880 --> 00:17:38,960
Speaker 6: that I built. So yeah, it's a global problem. Have

282
00:17:39,080 --> 00:17:44,320
Speaker 6: you heard Instagram got hacked today or yesterday? N No, Okay,

283
00:17:44,400 --> 00:17:47,600
Speaker 6: Instagram was hacked and seven I think it was seven

284
00:17:47,680 --> 00:17:51,040
Speaker 6: million user accounts were leaked onto the Internet like not

285
00:17:51,160 --> 00:17:54,520
Speaker 6: the dark web, they were just leaked onto a forum.

286
00:17:55,040 --> 00:17:56,560
Speaker 7: So I actually scanned them.

287
00:17:56,600 --> 00:17:58,960
Speaker 6: I did the exact same scan on Instagram that I

288
00:17:59,000 --> 00:18:05,320
Speaker 6: did on Manage my Health. Yeah, similar stories Instagram with

289
00:18:05,480 --> 00:18:06,880
Speaker 6: billions of users.

290
00:18:06,720 --> 00:18:10,200
Speaker 2: Similar story and same security gaps.

291
00:18:10,680 --> 00:18:10,960
Speaker 4: Yeah.

292
00:18:11,000 --> 00:18:15,440
Speaker 6: These these problems extend beyond small business into the five

293
00:18:15,560 --> 00:18:17,920
Speaker 6: hundred you know, fortune five hundred realm.

294
00:18:18,119 --> 00:18:22,680
Speaker 2: Yeah. Yeah, and so how can companies kind of rectify

295
00:18:22,800 --> 00:18:25,840
Speaker 2: or you know, do better in that respect?

296
00:18:26,600 --> 00:18:30,000
Speaker 6: The first thing I would be doing is asking your

297
00:18:30,040 --> 00:18:34,520
Speaker 6: I provider, what what are my current security gaps and

298
00:18:34,600 --> 00:18:38,000
Speaker 6: how can we best plug those. I have done my

299
00:18:38,080 --> 00:18:41,440
Speaker 6: best to make that information as accessible as I can

300
00:18:41,560 --> 00:18:44,760
Speaker 6: to people on my website, so people can go and

301
00:18:44,800 --> 00:18:46,920
Speaker 6: scan their domains if they want to, and it will

302
00:18:46,920 --> 00:18:50,480
Speaker 6: actually tell them exactly what I found would manage my health,

303
00:18:51,000 --> 00:18:54,600
Speaker 6: the gaps, how to fix them, and the impact of

304
00:18:54,800 --> 00:18:57,560
Speaker 6: not fixing them, like what is the what is the

305
00:18:57,560 --> 00:19:01,280
Speaker 6: main reason I should fix this? Plot this whole The

306
00:19:01,359 --> 00:19:03,800
Speaker 6: scanner and the results will actually tell you that. And

307
00:19:03,880 --> 00:19:06,919
Speaker 6: if you still still need more help, I'm here, or

308
00:19:06,920 --> 00:19:09,400
Speaker 6: you can speak to the agent buck on our website

309
00:19:09,440 --> 00:19:15,320
Speaker 6: that also provides human that humanizes cybersecurity and technical speak

310
00:19:15,560 --> 00:19:16,320
Speaker 6: in terms of.

311
00:19:16,240 --> 00:19:18,840
Speaker 2: What happened with manage my health and the kind of

312
00:19:18,880 --> 00:19:23,399
Speaker 2: glaringly obvious it seems gaps in many websites in New

313
00:19:23,520 --> 00:19:28,720
Speaker 2: Zealand's security systems. Do you think that hackers worldwide who

314
00:19:28,960 --> 00:19:32,199
Speaker 2: do do this for monetary gain is are looking at

315
00:19:32,240 --> 00:19:35,359
Speaker 2: New Zealand at the minute being like, well there's your

316
00:19:35,440 --> 00:19:36,040
Speaker 2: cash grab.

317
00:19:37,160 --> 00:19:37,400
Speaker 4: Yeah.

318
00:19:37,480 --> 00:19:40,280
Speaker 6: I mean this time of year, New Zealand becomes a

319
00:19:40,320 --> 00:19:43,520
Speaker 6: target just because of the great key we shut down.

320
00:19:43,600 --> 00:19:46,399
Speaker 6: So I don't think we are much of a target

321
00:19:46,480 --> 00:19:50,240
Speaker 6: until this time of year, and I've actually got data

322
00:19:50,280 --> 00:19:55,199
Speaker 6: to prove that. So yeah, we're definitely. The attacks on

323
00:19:55,240 --> 00:19:58,960
Speaker 6: New Zealand and Australia ramp up from November to January,

324
00:20:00,080 --> 00:20:03,440
Speaker 6: and now with this news breaking, I would say will

325
00:20:03,480 --> 00:20:04,560
Speaker 6: be even more of a target.

326
00:20:04,600 --> 00:20:07,120
Speaker 2: Now, how do you make sure if you do have

327
00:20:07,240 --> 00:20:11,120
Speaker 2: your own personal information on the internet with a website,

328
00:20:11,640 --> 00:20:13,879
Speaker 2: are there any ways to make sure that your information

329
00:20:14,000 --> 00:20:14,919
Speaker 2: is actually safe?

330
00:20:15,480 --> 00:20:17,560
Speaker 6: The best thing that you can do to protect yourself

331
00:20:17,760 --> 00:20:21,720
Speaker 6: is make sure that you've got multi factor authentication on everything,

332
00:20:21,840 --> 00:20:23,920
Speaker 6: So enter a password, then.

333
00:20:23,720 --> 00:20:25,160
Speaker 7: It we'll ask you for a code as well.

334
00:20:26,040 --> 00:20:28,919
Speaker 6: Without the code, obviously a hacker can't get into your account.

335
00:20:28,960 --> 00:20:31,840
Speaker 6: They need the physical device that sends you those codes.

336
00:20:31,920 --> 00:20:35,880
Speaker 6: So that is a good way to protect yourself. Other

337
00:20:35,920 --> 00:20:39,320
Speaker 6: than that, you're at the mercy of the people's platform

338
00:20:39,359 --> 00:20:41,880
Speaker 6: that you're using. So the best thing to do there

339
00:20:41,960 --> 00:20:44,399
Speaker 6: is actually ask them, what are you doing to protect

340
00:20:44,400 --> 00:20:49,280
Speaker 6: my information? What controls and regulations have you got in

341
00:20:49,320 --> 00:20:53,240
Speaker 6: place that protect us? And what happens if there's a breach?

342
00:20:53,600 --> 00:20:56,280
Speaker 6: How do you notify as how quickly can you clean

343
00:20:56,320 --> 00:20:59,240
Speaker 6: it up? All those sorts of things are things that

344
00:20:59,280 --> 00:21:04,840
Speaker 6: people really be thinking about when using such critical platforms

345
00:21:05,240 --> 00:21:08,000
Speaker 6: or any platform that you log into.

346
00:21:08,600 --> 00:21:12,840
Speaker 2: In terms of this breach, I'm wondering because obviously we

347
00:21:12,960 --> 00:21:15,440
Speaker 2: hear about breaches every now and again, you know, whether

348
00:21:15,480 --> 00:21:19,119
Speaker 2: it's a banking app or a government app or something

349
00:21:19,200 --> 00:21:21,800
Speaker 2: like that. Those are the ones that we hear about.

350
00:21:21,840 --> 00:21:23,639
Speaker 2: Are those just the tip of the iceberg?

351
00:21:24,920 --> 00:21:27,240
Speaker 6: Yes, that is definitely just the tip of the iceberg.

352
00:21:27,280 --> 00:21:31,080
Speaker 6: A lot of it goes unreported. Some of them are

353
00:21:31,160 --> 00:21:33,440
Speaker 6: so small they're not worth mentioning in the news. But

354
00:21:33,600 --> 00:21:35,720
Speaker 6: a small hack too the news might still be a

355
00:21:35,720 --> 00:21:38,920
Speaker 6: big hack to a small business, for example. So yeah,

356
00:21:39,200 --> 00:21:42,440
Speaker 6: there's plenty of hacks that we are not told about. Yeah,

357
00:21:42,480 --> 00:21:46,840
Speaker 6: it's the wild West. The Internet was built, you know,

358
00:21:46,920 --> 00:21:49,679
Speaker 6: in the nineties on trust and if you look at

359
00:21:49,680 --> 00:21:52,000
Speaker 6: the Internet now, it's no longer a trustworthy place.

360
00:21:52,119 --> 00:21:56,720
Speaker 7: So yeah, it's best to assume.

361
00:21:56,359 --> 00:21:58,399
Speaker 6: That your data is not safe and make sure that

362
00:21:58,480 --> 00:22:02,479
Speaker 6: it is, especially with the intro action of AI. You know,

363
00:22:02,560 --> 00:22:05,600
Speaker 6: if you think about the infrastructure that AI is currently

364
00:22:05,680 --> 00:22:09,920
Speaker 6: running on was built thirty years ago, it's like trying

365
00:22:09,960 --> 00:22:12,080
Speaker 6: to race a Ferrari around a go kart track.

366
00:22:12,760 --> 00:22:15,920
Speaker 7: That's how I would describe it. So yeah, I.

367
00:22:15,880 --> 00:22:18,080
Speaker 6: Almost feel like we need an Internet two point zero.

368
00:22:18,119 --> 00:22:22,560
Speaker 6: But making that happen is virtually impossible or a very

369
00:22:22,720 --> 00:22:26,240
Speaker 6: very slow process because you'd have to do it. Yeah,

370
00:22:26,320 --> 00:22:28,920
Speaker 6: I don't even know how you would achieve that. It

371
00:22:28,960 --> 00:22:30,080
Speaker 6: would be very difficult.

372
00:22:30,200 --> 00:22:32,520
Speaker 7: It's not impossible, but it would be very slow and

373
00:22:32,640 --> 00:22:33,399
Speaker 7: very difficult.

374
00:22:33,800 --> 00:22:36,040
Speaker 2: Well, it seems like the horses bolted and in a lot

375
00:22:36,119 --> 00:22:38,280
Speaker 2: of ways. Hey, I mean, I can imagine. You know,

376
00:22:38,359 --> 00:22:40,879
Speaker 2: back in the nineties, what we would refer to as

377
00:22:40,920 --> 00:22:44,920
Speaker 2: hackers were individuals going in and doing it one by one,

378
00:22:44,960 --> 00:22:49,040
Speaker 2: whereas now they can make quite sophisticated systems that do like,

379
00:22:49,200 --> 00:22:51,760
Speaker 2: you know, a thousand things at once or something.

380
00:22:52,160 --> 00:22:53,520
Speaker 1: That's probably an understatement.

381
00:22:54,520 --> 00:22:56,679
Speaker 6: Yeah, I mean, even just in the last twelve months,

382
00:22:56,720 --> 00:23:01,560
Speaker 6: hacking has become a thousand times easier for people. If

383
00:23:01,600 --> 00:23:04,159
Speaker 6: you think about how easy it is for someone to

384
00:23:04,200 --> 00:23:08,120
Speaker 6: install chat GPT and fill out an essay, for example,

385
00:23:08,359 --> 00:23:12,400
Speaker 6: you can do the same with hacking. There's apps exactly

386
00:23:12,520 --> 00:23:18,640
Speaker 6: like chat GPT for launching spoofing and phishing campaigns. So

387
00:23:18,720 --> 00:23:21,920
Speaker 6: what they actually can do is like a full reconnaissance

388
00:23:21,920 --> 00:23:24,800
Speaker 6: mission on a business, so they can figure out who's

389
00:23:24,840 --> 00:23:27,479
Speaker 6: the CFO, who's the CEO, who's the CTO. Have they

390
00:23:27,560 --> 00:23:30,360
Speaker 6: been mentioned in the news recently, what time of year

391
00:23:30,440 --> 00:23:32,080
Speaker 6: is it? Have they mentioned the going up a seat,

392
00:23:32,119 --> 00:23:34,480
Speaker 6: those sorts of things. They do a full recon and

393
00:23:34,520 --> 00:23:38,600
Speaker 6: it's fully automated now, so it takes a lot of

394
00:23:38,600 --> 00:23:41,439
Speaker 6: that manual effort away from the hackers. A lot of

395
00:23:41,480 --> 00:23:44,160
Speaker 6: it used to be manual. Now it's all automated.

396
00:23:45,080 --> 00:23:46,919
Speaker 1: So where do we go to next.

397
00:23:47,080 --> 00:23:49,440
Speaker 2: Is it just safe to have none of your personal

398
00:23:49,480 --> 00:23:52,200
Speaker 2: information on the Internet or is that completely unavoidable.

399
00:23:53,720 --> 00:23:56,959
Speaker 6: It's pretty much unavoidable, right. We kind of reliant on

400
00:23:57,040 --> 00:24:01,520
Speaker 6: technology and the internet without you. Imagine if the Internet

401
00:24:01,640 --> 00:24:04,480
Speaker 6: was off for a day, the world would stop. So

402
00:24:04,800 --> 00:24:07,600
Speaker 6: it's not like you can't stop using it. You have

403
00:24:07,640 --> 00:24:09,720
Speaker 6: to keep using it. You just have to be super

404
00:24:09,800 --> 00:24:14,960
Speaker 6: vigilant with protecting your credentials, be very very aware of

405
00:24:15,000 --> 00:24:18,439
Speaker 6: the platforms that you're actually using. Maybe even see if

406
00:24:18,480 --> 00:24:22,720
Speaker 6: as more secure alternatives. And yeah, just be very very

407
00:24:22,720 --> 00:24:26,800
Speaker 6: suspicious of any links and emails. Like the best advice

408
00:24:26,840 --> 00:24:29,000
Speaker 6: I can offer you for links and emails is hover

409
00:24:29,160 --> 00:24:32,560
Speaker 6: over it. If the link you hover over doesn't look right,

410
00:24:32,600 --> 00:24:33,400
Speaker 6: don't click on it.

411
00:24:33,520 --> 00:24:35,840
Speaker 1: Thanks for joining us, Adam no worries.

412
00:24:38,560 --> 00:24:41,800
Speaker 2: That set for this episode of the Front Page. You

413
00:24:41,840 --> 00:24:45,720
Speaker 2: can read more about today's stories and extensive news coverage

414
00:24:45,760 --> 00:24:49,840
Speaker 2: at nzadherld dot co dot nz. The Front Page is

415
00:24:49,920 --> 00:24:51,800
Speaker 2: produced by Jane Ye.

416
00:24:51,480 --> 00:24:56,119
Speaker 1: And Richard Martin, who is also our editor. I'm Chelsea Daniels.

417
00:24:56,560 --> 00:24:59,960
Speaker 2: Subscribe to the front page on iHeartRadio or wherever you get.

418
00:24:59,880 --> 00:25:03,879
Speaker 1: Your podcasts, and tune in tomorrow for another look behind

419
00:25:03,920 --> 00:25:04,720
Speaker 1: the headlines.