Invoices detailing payments from the Canterbury Earthquake Recovery Authority (Cera) to its suppliers could have been accessed due to a security flaw with Work and Income public kiosks.
The public kiosks were shut down last night after it was revealed the Ministry of Social Development's (MSD) computer system could be accessed through them.
Today, it was revealed that information from Cera had also been open to the public as part of the breach.
In a statement, acting Cera chief executive Warwick Isaacs said the authority had been advised that an area storing Cera's scanned invoices was part of the corporate information that had been accessible through the kiosks.
Isaacs said the information included invoices paid by MSD on behalf of Cera to its suppliers between December 2011 and last week.
While Cera did not know if the information had been viewed, Isaacs said the authority would be informing its creditors of the potential breach "where appropriate".
All invoices for central business district demolitions, residential red zone property settlements and personal details of red zone homeowners were stored outside the MSD system and had not been accessed, Isaacs said.
A ministry investigation has been launched after blogger Keith Ng reported that he was able to access thousands of files on the agency's servers from the computers in a Wellington Work and Income office.
He said he walked into a Work and Income kiosk and was able to open files, including sensitive case notes, names of children in care and up for adoption, foster parents, lists of people who owed the ministry money, details of contract workers and how much they were paid, and the name of a person who had attempted suicide.
An independent security expert will conduct an inquiry into the security breach.
Ministry chief executive Brendan Boyle said the review would look at the public kiosks that allowed access to private information.
Ng said it took him two and a half hours to download the files on to a USB.
"It was very easy."
"I think the problem was that they had their corporate network connected to public kiosks. That shouldn't have happened in the first place,'' he said.
"The second thing that happened is they thought there was nothing sensitive in the invoices. They were really, really wrong about that."
Along with the ministry's investigation, an independent security expert will conduct an inquiry into the security breach.
Labour social development spokeswoman Jacinda Ardern today described the breach as "staggering".
"This is an appalling breach of privacy and comes on top of serious security lapses at ACC and the IRD," she said.
MSD GIVEN WARNINGS
Kay Brereton, from Beneficiary Advocacy Federation, today told Radio New Zealand the discovery of a privacy flaw was nothing new.
She said that about a year ago she had tested the kiosks not long after they were introduced and found people could get into the ministry's system.
"I went with my collectors and we had a little play on the kiosks to see what they can do, and one of the guys who was with us found out that you can get back into the MSD system," she said.
"We went far enough to know that there was a problem, and we let Work and Income and MSD national office know that that problem existed. It was important that they did something about it before someone with skills and time found their way back into Work and Incomes files."
MSD deputy chief executive Marc Warner last night issued a statement saying: "A security issue was raised with us during the establishment phase for these kiosks. This was investigated and the system was rebuilt soon after".
He said the ministry had been alerted to Ng's latest discovery late yesterday and took immediate steps to secure the system.