By Lloyd Burr and Angela Beswick
A report into the major privacy breach at the Ministry of Social Development last month has exposed “atrocious” processes, Social Development Minister Paula Bennett says.
The initial has slammed its security systems, saying the ministry “woefully underestimated” the risk of hacking.
“I think it is damning,” Ms Bennett says.
“I think that it shows that we didn’t have the right processes in place, that the ministry didn’t give it due diligence and the importance that it should have and I don’t think there’s anywhere to hide from that.”
The report also reveals that Dimension Data, the IT company the ministry had contracted to test and penetrate its systems, had identified the loophole in April 2011 but no action was taken by ministry staff.
Ms Bennett says she has full confidence in chief executive Brendan Boyle, who she is sure will be able to put it right.
Today's report is the first of two into the blunder which saw 7,307 private files downloaded by blogger Keith Ng at the ministry’s self-service kiosks on October 15.
Of these files, 1,432 contained personal information from clients and 10 had highly sensitive information for eight children and two adults. Mr Ng was able to access details of children in foster care, foster parents, lists of debtors and the name of a person who committed suicide.
More than 500 files belonging to the Christchurch Earthquake Recovery Authority were also accessed.
Hundreds of kiosks were shut down, and Ms Bennett commissioned Deloitte to conduct the inquiry.
Mr Boyle says insufficient work was done to the security and information protection systems when the kiosks were rolled out.
“It is clear from the analysis that a number of people within the ministry’s IT function were aware of the kiosk security weaknesses and the risk posed to the access to the ministry’s network,” the report states.
“Appropriate follow-up action was not taken to remediate the weaknesses, either within the project team of the IT security team.”
Prime Minister John Key is blaming human error for the breach and says ministry staff should have acted on a report from Dimension Data last year, which clearly highlighted security problems.
“The ministry did absolutely the right thing in April 2011, but despite having a report showing where the security issues were, they actually ignored that and didn’t deal with it.”
Mr Key says the WINZ kiosks were an important tool for people to interact with the Government and the ministry should have got it right.
The report says the ministry’s response to the issues was “inadequate” and public confidence has been eroded.
Four staff members are under investigation following the ordeal, but it is not known what role they played in the breach. Ms Bennett would not comment on the future of the four staff, saying it is an employment matter.
The report says only Mr Ng and associate Ira Bailey accessed the files and there was no widespread breach, based on download similarities across the network.
The ministry’s chief executive Brendan Boyle says the report is damming and his staff seemed to be “slack and sloppy” with their internal processes.
“I’m gutted and disappointed that we have let people down,” he says.
The report recommends separating the kiosk network from the ministry’s main network, both physically and logistically, as well as creating appropriate firewalls to prevent a repeat of the breach.
The kiosks remain closed and will do until they are secure, Mr Boyle says.
A second report examining the ministry's culture, capabilities and processes, will be released later this year.
The Green Party has accused Ms Bennett of passing the buck, saying she needs to take responsibility for the "disgraceful and repeated breaches of privacy by herself and her ministry".
“The minister promised to keep a close eye during the introduction of the kiosks, but the Deloitte report shows that in the final business case there was no discussion of security risks," says spokesperson Jan Logie.
"This is symptomatic of a ministry that doesn’t understand the importance of keeping confidential the private information it holds."
Labour's social development spokesperson Jacinda Ardern says Ms Bennett needs to stop calling the breach an 'operational matter' because public confidence in her department is not 'operational'.