MSD response to security breach 'inadequate'
Fri, 02 Nov 2012 10:30a.m.
By Lloyd Burr
An initial report into the major privacy breach at the Ministry of Social Development last month has slammed its security systems, saying they “woefully underestimated” the risk of hacking.
It also reveals that Dimension Data, the IT company the ministry had contracted to test and penetrate its systems, had identified the loophole but no action was taken by ministry staff.
Today's report is the first of two into the blunder which saw 7,307 private files downloaded by blogger Keith Ng at the ministry’s self-service kiosks on October 15.
Of these files, 1,432 contained personal information from clients and 10 had highly sensitive information for eight children and two adults. Mr Ng was able to access details of children in foster care, foster parents, lists of debtors and the name of a person who committed suicide.
More than 500 files belonging to the Christchurch Earthquake Recovery Authority were also accessed.
Hundreds of kiosks were shut down, and Social Development Minister Paula Bennett commissioned Deloitte to conduct the inquiry.
MSD chief executive Brendan Boyle says insufficient work was done to the security and information protection systems when the kiosks were rolled out.
“It is clear from the analysis that a number of people within the ministry’s IT function were aware of the kiosk security weaknesses and the risk posed to the access to the ministry’s network,” the report states.
“Appropriate follow-up action was not taken to remediate the weaknesses, either within the project team of the IT security team.”
The report says the ministry’s response to the issues was “inadequate” and public confidence has been eroded.
Four staff members are under investigation following the ordeal, but it is not known what role they played in the breach.
The report says only Mr Ng and associate Ira Bailey accessed the files and there was no widespread breach, based on download similarities across the network.
The ministry’s chief executive Brendan Boyle says the report is damming and his staff seemed to be “slack and sloppy” with their internal processes.
“I’m gutted and disappointed that we have let people down,” he says.
The report recommends separating the kiosk network from the ministry’s main network, both physically and logistically, as well as creating appropriate firewalls to prevent a repeat of the breach.
The kiosks remain closed and will do until they are secure, Mr Boyle says.
A second report examining the ministry's culture, capabilities and processes, will be released later this year.
The Green Party has accused Ms Bennett of passing the buck, saying she needs to take responsibility for the "disgraceful and repeated breaches of privacy by herself and her ministry".
“The minister promised to keep a close eye during the introduction of the kiosks, but the Deloitte report shows that in the final business case there was no discussion of security risks," says spokesperson Jan Logie.
"This is symptomatic of a ministry that doesn’t understand the importance of keeping confidential the private information it holds."
Labour's social development spokesperson Jacinda Ardern says Ms Bennett needs to stop calling the breach an 'operational matter' because public confidence in her department is not 'operational'.
Post a Comment
Before commenting, please take the time to read our moderation guide
(Won't be published)
11/12/2012 2:08:07 a.m.
mia larsen wrote:
@ Bill, sorry my friend is it because of me and I am a women that is going to get this mess cleaned up. You are prob ably wondering how well I'll share with you this, independant inquiries are being investigated into the National Party and their part they played in the Failed service, including privacy breaches on asystemic level effecting the nation. Watch my space on facebook under mia joyce
4/11/2012 11:44:38 a.m.
The managers should take responsibility for this - that is why they are paid the big bucks. They sign off on projects etc. If they do not get terminated then why do they paid so highly....?
2/11/2012 10:14:49 p.m.
Has anyone noticed that Brendan Boyle who feels gutted by the failures of his information technology team, was up until his appointment to MSD CEO in August 2011, the Government Chief Information Officer?b Presumably someone in this role might have been expected to have some oversight of information security across all of Govt. Always easier to sack the minnows I guess.
2/11/2012 6:53:37 p.m.
Blame a junior and not the leader, SHAME.They (junior) are only on $15.00 per hour and have nothing to loose. Bennett would loose $100,000+. Easy to see why the junior is under investigation.
2/11/2012 2:30:04 p.m.
I agree with Bill, woman with kids should be at home being a mum and not messing with the running of the county. Raising a child is the more important of the two anyhow.
2/11/2012 1:49:46 p.m.
I am wondering why MSD response to anything is inadequate. Well really I do have a fair idea why. Nobody strong at the helm.
2/11/2012 1:09:04 p.m.
Want something stuffed up? Give it to a woman. ACC - Collins, Police - Collins, MSD - Bennett, Education - Perata, Corrections - Tolley. Need I say more.
2/11/2012 1:05:10 p.m.
Sack Paula Bennett. She has openly said and flaunted her penchant for leaking information and no one will have any faith in the MSD until she is removed.
2/11/2012 12:52:40 p.m.
If you have a minister that publicly stated that she would reveal the privacy of people again,no wonder those inside the MSD could'nt give a toss about the privacy of the public.The attitude flows down from the top, Bennett is responsible for the attitude within MSD,she never appologised for her privacy breach,disregarded everything the privacy commissioner said,so the buck stop withBennett herself,she should resign,i wont hold my breath though.
2/11/2012 12:48:14 p.m.
There is no mention of the lack of oversight from the supposed minister of this department either Jason.
But if you pay millions for a report you can always convince the company to gloss over a few important details as Bennett has done here.
Bennett is currently looking for scapegoats, she should resign from parliament as a result.
National would be demanding like crazy that a Labour Minister in charge do the same thing.
But the National Party and its supporters have always been completely hypocritical.
Its not ok for labour to sell assets, but is for National too.
Its not ok for labour to breach privacy, but is for them too.
Its not ok for labour to close schools, but is ok for National too.
You get the picture with National... they are all full of it and dont know how to take responsibility.
Prime Minister John Key has labelled the Labour-led Opposition the "devil beast"...
Police had to physically push anti-poverty protestors back after they tried to b...
Tonight comes the Budget announcement you didn't hear yesterday – Food for Schoo...
One major issue heading into the Budget was child poverty....
The Police Commissioner Peter Marshall has threatened to discipline any staff wh...
Copyright © 2013 MediaWorks TV. All Rights Reserved.