Report damns ministry over security breaches
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
The Ministry of Social Development (MSD) has today released a "damning" report which shows its responses to serious security breaches have been inadequate.
Four employment investigations are now underway.
The report, conducted by Deloitte, was commissioned after blogger Keith Ng discovered the ministry's secure servers were accessible through public kiosks in Work and Income offices.
At the time it was revealed an independent report highlighted the risk with the kiosks in April last year and a beneficiary advocate had raised concerns last November.
The report out today shows the Dimension Data report in April 2011 "clearly highlighted security issues that needed to be addressed including the lack of network separation".
"These findings were not appropriately followed up, addressed or escalated for management visibility and action which meant that the risks remained substantially unaddressed."
The significance of the risks was underestimated by the project team responsible for the kiosks and the ministry's information technology security team, the report found.
Ng, and associate Ira Bailey who alerted him to the breach, assisted with the report.They handed over 7307 items downloaded from two kiosks.
More than 1430 of the items contained personal information, including "highly sensitive information" of 10 people.
The ministry had already begun contacting those affected.
Among the items accessed 533 were Christchurch Earthquake Recovery Authority invoices.
MSD chief executive Brendan Boyle said he was "gutted and disappointed" the agency had let people down.
"The report is damning around MSD's failure to separate public kiosks from a network containing corporate files."
A second Deloitte report would look at broader issues about the security of the ministry's information systems and the culture within the organisation.
That review was due to be completed later this month.
Meanwhile, a barrister was conducting four employment investigations.
"I can assure people that the employment investigations will be thorough and people will be held to account for their conduct," Boyle said.
Posted by Anonymous at 4:57:27 on November 3, 2012
Then place bets that the spin doctors will blame the earthquake.
Page 19: The Ministry's Canterbury earthquake response activities commence with a number of key personnel being seconded out of their roles for this effort. This has a major impact on business as usual and projects within the Ministry.
Posted by Anonymous at 15:21:48 on November 2, 2012
Posted by Anonymous at 15:57:34 on November 2, 2012
However, probably the most important piece here is that Keith Ng is no longer being referred to as a journalist.
Posted by Anonymous at 12:10:01 on November 2, 2012
This is a poor Governance and Senior Management Oversight. Someone should be held accountable .
Posted by Anonymous at 11:54:57 on November 2, 2012
ACC head guy resigned for things occurring before he started yet he took the fall. Will this CEO do the same thing or will he blame others for failings instead of his own lack oversight. He should know better, he was Government CIO and used to work in e-govt group of SSC.
Posted by Anonymous at 21:16:13 on November 2, 2012
MSD CEO is a career public servant.
Posted by Anonymous at 11:12:59 on November 6, 2012
Hope the troll-therapy helped. How about an 'effective use of grammar and the English language' course for your next diversion.
Posted by Anonymous at 12:24:13 on November 2, 2012
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
