An investigation into the social development ministry's recent security breaches has found initial concerns about its self-service kiosks were not looked into further.
MSD chief executive Brendan Boyle has confirmed a number people will be held accountable for their action or inaction around the breaches.
He says he has launched four employment investigations into staff "across the spectrum".
But he will not be commenting on them because the investigations need to run their course.
The MSD has revealed its first report into last month's breach of the kiosks.
Mr Boyle says the report is damning and details the ministry's failure to separate public kiosks from a network containing corporate files.
The report, carried out by Deloitte, came to a number of conclusions, including:
- The ministry's insufficient focus on security and privacy during design and build.
- The ministry's inadequate response to findings from security testing.
- The ministry's inadequate risk management and escalation within the IT organisation.
The report has also found there was an inadequate reponse to Kay Brereton's October 2011 concerns regarding the security of the kiosks:
- There were also four key weaknesses which enabled the security breach:The ability to map network drives was not restricted on the kiosk.
- There was a lack of separation between the kiosks and the ministry's corporate network.
- The kiosks operated as an authenticated user on the network, giving the kiosks a trusted level of privilege to the ministry's corporate information.
- Shares containing sensitive data on the network were not appropriately restricted.
The report found the breach would not have occured in the way it did if any one of these weaknesses had not existed.
Mr Boyle says of the 7307 items handed over and 1432 of them contained some personal information, such as a person's name or date of birth or other information.
Ten of those cases involve highly sensitive information.
Mr Boyle again apologised for the breach.
"I'm sorry, however I'm pleased to report the security breach has not been widespread.
"The investigation has confirmed there is no evidence to suggest the information has gone beyond blogger Keith Ng and his informant Ira Bailey."
Mr Bailey was one of the Urewera 17.
He admits the ministry failed to keep the information safe, but says the risk of harm is extremely low.
The report found initial security testing by Dimension Data detailed the lack of network separation and the existence of accessible network shares.
However, these concerns were not fixed, not were the findings escalated.
"If these two findings had been remediated, the security breach could not have occured in the manner it did," wrote the report's authors.
Deloitte has now begun phase two of its investigation into the effectiveness of the ministry's wider IT security. The report is due towards the end of the month.
This article is tagged with the following keywords. Find out more about MyNBR Tags
- MARKET CLOSE: NZ shares gain as ANZ Bank rises after results; Tegel climbs on debut
- NZ dollar soars to 2-month high vs Aussie as RBA cuts key rate on weak inflation
- My Food Bag IPO 'not off the table'
- Tegel chairman praises private equity owner after solid NZX listing
- Reserve Bank of Australia cuts to 1.75% on weak inflation, kiwi dollar gains vs Aussie
Most listened to
- MediaWorks' Bravo NZ deal a "case of 2+2 being more than simply Four" - Mark Weldon
- My Food Bag co-chief executive Cecilia Robinson discusses what its capital restructure might be made of
- Anthony Harper partner Jennifer Mills on the question: Uber drivers - contractors or employees?
- The government has backed itself into a corner into over how patent attorneys are regulated, says Rob Hosking
- In his Editor’s Insight, Nevil Gibson says the Australian Budget is a curtain-raiser for an election