Deloitte phase I investigation into MSD security breach 'damning'

MSD chief executive Brendan Boyle

An investigation into the social development ministry's recent security breaches has found initial concerns about its self-service kiosks were not looked into further.

READ ALSO: Ng: MSD report honest, reasonable - but leaves one big question

MSD chief executive Brendan Boyle has confirmed a number people will be held accountable for their action or inaction around the breaches. 

He says he has launched four employment investigations into staff "across the spectrum".

But he will not be commenting on them because the investigations need to run their course.

The MSD has revealed its first report into last month's breach of the kiosks.

Mr Boyle says the report is damning and details the ministry's failure to separate public kiosks from a network containing corporate files.

The report, carried out by Deloitte, came to a number of conclusions, including:

  • The ministry's insufficient focus on security and privacy during design and build.
  • The ministry's inadequate response to findings from security testing.
  • The ministry's inadequate risk management and escalation within the IT organisation.

The report has also found there was an inadequate reponse to Kay Brereton's October 2011 concerns regarding the security of the kiosks:

  • There were also four key weaknesses which enabled the security breach:The ability to map network drives was not restricted on the kiosk.
  • There was a lack of separation between the kiosks and the ministry's corporate network.
  • The kiosks operated as an authenticated user on the network, giving the kiosks a trusted level of privilege to the ministry's corporate information.
  • Shares containing sensitive data on the network were not appropriately restricted.

The report found the breach would not have occured in the way it did if any one of these weaknesses had not existed.

Mr Boyle says of the 7307 items handed over and 1432 of them contained some personal information, such as a person's name or date of birth or other information.

Ten of those cases involve highly sensitive information.

Mr Boyle again apologised for the breach.

"I'm sorry, however I'm pleased to report the security breach has not been widespread.

"The investigation has confirmed there is no evidence to suggest the information has gone beyond blogger Keith Ng and his informant Ira Bailey."

Mr Bailey was one of the Urewera 17.

He admits the ministry failed to keep the information safe, but says the risk of harm is extremely low.

The report found initial security testing by Dimension Data detailed the lack of network separation and the existence of accessible network shares.

However, these concerns were not fixed, not were the findings escalated.

"If these two findings had been remediated, the security breach could not have occured in the manner it did," wrote the report's authors.

Deloitte has now begun phase two of its investigation into the effectiveness of the ministry's wider IT security. The report is due towards the end of the month.

This article is tagged with the following keywords. Find out more about My Tags

Post Comment

10 Comments & Questions

Commenter icon key: Subscriber Verified

There's a huge difference between "There is no evidence to suggest more people got the data" and "We can show that nobody else got the data". If they don't have access logs, there'd be no data to suggest, but no data to prove otherwise either. What a complete mess.

Thanks to Keith for doing about the only thing that can change a badly performing institution: imposing massive public humiliation.

Reply
Share

"The investigation has confirmed there is no evidence to suggest the information has gone beyond blogger Keith Ng and his informant Ira Bailey."

And there wouldn't be as they clearly have (had) little or no logging in place. As expected; absolute incompetence.

Two years; it is more than likely other parties have accessed and downloaded data.

Reply
Share

This reads like MSD are a bunch of bumbling idiots. Giving kiosks trusted status on network so they could access other files, not seperating kiosks from the main network...my god...this is really poor

Reply
Share

Given the lax security apparent from this incident it seems highly unlikely that the MSD network maintains any audit logging that would "suggest" others have exploited the flaws.

So really they simply can't know if anyone else did it.

Reply
Share

An amazing level of incompetence in Govt departments;surely they can get their act together with the vast outside help they are doubtless getting.
WG

Reply
Share

It's not amazing to me. More than a decade ago I experienced the utter, unbelievable incompetence of a Govt IT manager who couldn't manage himself let alone anyone or anything else.

A supplier assembled from around the country a top team of experts to a meeting with him to advise on a project which was heading seriously off the rails. He didn't turn up. He was uncontactable on mobile and his voicemail was blocked because it had overflowed. We were apologised to and told this happened all the time.

Needless to say the project was an expensive, disastrous failure. Happily I had bailed immediately.

Reply
Share

"will be held accountable"
Really?
A number of wet bus tickets to be used?
liberte

Reply
Share

Maybe given the seriousness of this the head at the top should roll rather than middle managers.

Reply
Share

My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).

Reply
Share

well done exposing all this Keith.

Reply
Share

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot

Forex

Sym Price Change
USD 0.7878 -0.0004 -0.05%
AUD 0.9091 0.0005 0.06%
EUR 0.6356 -0.0003 -0.05%
GBP 0.5032 0.0001 0.02%
HKD 6.1123 -0.0013 -0.02%
JPY 92.8410 0.0020 0.00%

Commods

Commodity Price Change Time
Gold Index 1201.1 7.690 2014-11-21T00:
Oil Brent 78.6 -0.120 2014-11-21T00:
Oil Nymex 76.5 0.710 2014-11-21T00:
Silver Index 16.4 0.260 2014-11-21T00:

Indices

Symbol Open High Last %
NZX 50 5526.9 5526.9 5526.9 -0.56%
NASDAQ 4751.0 4751.6 4701.9 0.24%
DAX 9521.2 9736.1 9484.0 2.62%
DJI 17721.0 17894.8 17719.0 0.51%
FTSE 6678.9 6773.1 6678.9 1.08%
HKSE 23353.7 23508.0 23349.6 0.37%
NI225 17285.7 17381.6 17300.9 0.33%