MSD boss admits warnings might have been ignored
"In a private company heads would roll for less. In the government the buck never stops."Featured comment
Ministry of social development CEO Brendan Boyle has admitted his agency might have ignored warnings from Dimension Data – the company that tested security on its WINZ kiosks.
Mr Boyle also says Deloitte has been contracted to conduct an independent inquiry of the security breach revealed earlier this week.
The CEO says the inquiry will range beyond the immediate problem with the public kiosks. However, the MSD declined to provide immediate terms of reference.
Inquiry to range beyond kiosks – eventually
“The review will happen in two phases. The first will deal with the immediate issue regarding the security of our public kiosks.
"Deloittes will look at what happened, how secure information was able to be accessed, and will determine why it happened and what steps we need to take to ensure it can’t happen again," Mr Boyle says.
“The second phase will involve a broader look at security across all the ministry’s IT systems, including policies, governance and culture. This second phase will take longer and more work needs to be done on the scope of this part of the review."
Dimension Data off the hook
On Sunday night, blogger Keith Ng revealed one of the public kiosks could be used to access thousands of files on the MSD's network – many of them commercially sensitive or revealing details about the ministry's clients.
“We received a report from Dimension Data in April 2011, which identified flaws in our system," Mr Boyle said in a statement this morning.
At a press briefing yesterday afternoon, Mr Boyle said KPMG and Dimension Data consulted on security to the MSD. Dimension Data had carried out penetration testing on the kiosks and found no issues.
"Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security. I will look to the review to provide me with the answers.
"We will be asking Deloitte to determine what we did to follow up this report’s recommendations and whether our response was adequate."
He added, “I can confirm that KPMG was not engaged to penetration test our public kiosks. They have, however, been engaged in doing testing on other parts of our system."
An MSD spokesman was not immediately able to answer whether others had breached security, via the kiosks, before Ira Bailey apparently stumbled on the problem then tipped off Mr Ng.
He would not comment on the cost of the investigation, but passed on an NBR ONLINE request under the Official Information Act.
"We don’t have any reason to believe other people have gained unauthorised access via the kiosks," he added.