[boop]

Once it was clear that there was was a leak of confidencial information, he should have taken what was required as minimal evidence (a few screenshots?) and then contacted the Acting Privacy Commissioner.

Did he really need to go through files related to Doctors/Radiology, Debt Collectionn, Fraud Investigations, Care and Protection, HCN? Snooping through the servers beyond what was necessary was wrong.

The bigger story is the lack of security on the New Zealand servers. However, what he did was wrong and possible illegal IMHO.

[ppog]

Going that extra mile was necessary to make this a big story instead of having it brushed under the carpet. It seems that the leak was known about as much as a year ago (http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&obj...), MSD were informed, but nothing was done because there was no media firestorm. By showing what was exposed, Keith Ng made the horrific impact of the leak understandable to the public and media and greatly increased the likelihood that something will get done.

[robocat]

I think he has done this exactly right.

This department clearly doesn't value security (multiple levels of deep failure) and the only way to make it important is political pressure via the public and the media.

Only by revealing the breadth of the failure, and doing so publically, could any effective change occur.

It is obvious they could (and did) shut down or secure the kiosks quickly.

If he took a week to consult legal, decide best course of action, make up his mind on risking his neck, or WHATEVER, that is his right and fine by me.

Armchair criticism is easy. Kieth has taken a ballsy action as an individual and he gets my respect.

[jstr]

He did a public service. What he did is (according to lawyers) not illegal. See http://www.nbr.co.nz/article/keith-ng-facing-possible-two-ye....

[cciesquare]

I thought same thing, but read more and realized it was open for awhile, and no one seem to care. It took the breath of his examples to make everyone shock enough to notice.

The only thing that should be illegal is the way all that information was not secured.

[boop]

In addition, the author claimed he spent a week preparing the story. Yet he only contacted the Acting Privacy Commissioner yesterday. He blog was published before the government had a chance to fix the issue. I find this irresponsible.