MSD boss admits warnings might have been ignored
"In a private company heads would roll for less. In the government the buck never stops."
Featured commentLATEST: LinkedIn trail leads to Bennett’s office – Ng
Ministry of social development CEO Brendan Boyle has admitted his agency might have ignored warnings from Dimension Data – the company that tested security on its WINZ kiosks.
Deloitte appointed
Mr Boyle also says Deloitte has been contracted to conduct an independent inquiry of the security breach revealed earlier this week.
The CEO says the inquiry will range beyond the immediate problem with the public kiosks. However, the MSD declined to provide immediate terms of reference.
Inquiry to range beyond kiosks – eventually
“The review will happen in two phases. The first will deal with the immediate issue regarding the security of our public kiosks.
"Deloittes will look at what happened, how secure information was able to be accessed, and will determine why it happened and what steps we need to take to ensure it can’t happen again," Mr Boyle says.
“The second phase will involve a broader look at security across all the ministry’s IT systems, including policies, governance and culture. This second phase will take longer and more work needs to be done on the scope of this part of the review."
Dimension Data off the hook
On Sunday night, blogger Keith Ng revealed one of the public kiosks could be used to access thousands of files on the MSD's network – many of them commercially sensitive or revealing details about the ministry's clients.
“We received a report from Dimension Data in April 2011, which identified flaws in our system," Mr Boyle said in a statement this morning.
At a press briefing yesterday afternoon, Mr Boyle said KPMG and Dimension Data consulted on security to the MSD. Dimension Data had carried out penetration testing on the kiosks and found no issues.
"Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security. I will look to the review to provide me with the answers.
"We will be asking Deloitte to determine what we did to follow up this report’s recommendations and whether our response was adequate."
He added, “I can confirm that KPMG was not engaged to penetration test our public kiosks. They have, however, been engaged in doing testing on other parts of our system."
An MSD spokesman was not immediately able to answer whether others had breached security, via the kiosks, before Ira Bailey apparently stumbled on the problem then tipped off Mr Ng.
He would not comment on the cost of the investigation, but passed on an NBR ONLINE request under the Official Information Act.
"We don’t have any reason to believe other people have gained unauthorised access via the kiosks," he added.
Back to home
Back to top
Print
Latest
NBR SERVICES
SUBSCRIPTIONS
Sign up for NBR subscriber content or email alerts
Comments and questions4
In a private company heads would roll for less. In the government the buck never stops.
If a private company (e.g. a bank) did this with client data, they'd pay financially in the sharemarket and at the customer level. Therefore management has all the incentives aligned to get the security right before making applications 'live'.
The problem with government departments (and ACC, for that matter) is that they have no owners who will sell shares when things go pear-shaped, and are monopolies that give no customer choice options either, so there is no customer market signal to punish poor management. Hence management has few incentives to incentives to get it right before going live.
For these reasons, it is very risky to trust sensitive personal data to governments, monopolies and other non-owned entities. On the other hand, the medical profession does have some systems for keeping data safe - the 'patient record, in primary care at least, is essentially the patient's property (think of the time-tested 'Plunket book'). Its contents can only be shared with those the patient sanctions, and it must be transferred when changing GPs. Perhaps what we really need is a change of thought in relation to data that government collects on us. What if, like the medical case, we retain the property right i the data, and we only let the government look at it for individually-approved purposes? And have a right to prosecute if it is ever discovered that it is used outside of these cases?
"CEO Brendan Boyle has admitted his agency might have ignored warnings..."
Might ??
Come on... be a brave fellow..spit it out
Did or did not ignore warnings.
Corporate culture??
First a ministry is no place to develop a corporate culture...and the minister doesn't seem the sharpest tool of the box in corporate culture dept. mate...