Member log in

Keith Ng: MSD report honest, reasonable - but leaves one big question

UPDATE: Blogger Keith Ng has described the first phase one Deliotte report into Ministry of Social Development security breaches as "honest" and "reasonable."

But he says one big question remains: why.

That is, why the MSD ignored a Dimension Data report early last year, which flagged security issues with public computer kiosks (in its report, Deloitte notes that Beneficiary Advocacy Federation spokeswoman Kay Brereton also alerted the MSD to security issues with the kiosks in October 2011).

He notes that at his morning's briefing, MSD chief executive Brendan Boyle said cost wasn't an issue.

"But that doesn't leave us much to work with," Mr Ng told NBR ONLINE.

But although frustrated by the lingering question, the blogger said he appreciated the MSD could not address the "why" in detail while investigations into four staff are underway.

(The staff investigations were announced by Mr Boyle this morning as part of his wider 'damning' report.)

"Unfathomable" - Privacy Commissioner
This hard-hitting report – especially since it follows hard on the heels of the ACC report - shows just how far some of our major agencies have to go before we can be confident our information is protected," Privacy Commissioner Maria Shroff said.

“Basic IT security safeguards to protect personal information were missing, from the time the ‘kiosk’ system was built. And it’s unfathomable that the Ministry did not address Dimension Data’s revelations that sensitive personal information was exposed on network shares.

"The decision about how to handle such a serious problem should have been made at the highest levels of the business. This raises questions about the wider culture of handling information within MSD."

Looking at IT security is only one part of the picture, the Privacy Commissioner said.

"A complete mind-shift is needed in some quarters. There's been far too little focus on the fact that there are real people behind the information that government agencies hold. Those agencies need to develop and embed strong leadership, governance structures, policies and practices to manage personal information at every level of the organisation.

“The problems with the MSD kiosks are now evident. Whether there have been wider failures of leadership, policies and strategy about how personal information is handled within the Ministry is still to be seen. However, I expect the next stage of this review to ask some penetrating questions."

"True test" to come
Institute of IT Professionals NZ chief executive Paul Matthews told NBR, "The report makes clear that it should never have happened and if good project management and IT governance layers were in place, the lack of action when issues were highlighted wouldn't have occurred."

On the positive side, the ministery acted fast to identify and isolate the issue, commissioned independent reports into what happened and didn't try to hide the findings - even where damning, Mr Matthews said.

"And most importantly, have set the scope of the second report to look at the contribution of the surrounding cultural issues towards security and related matters, which we believe will need to change."

He summed up, "So a good response thus far, but the true test will be in what the ministry does about it," Mr Matthews said.

No prosecution
Separately, the MSD issued its first decisive statement on possible legal action against Mr Ng and his associate Ira Bailey.

"MSD does not intend to prosecute either of these two men," spokesman David Venables told NBR.

NBR relayed the news to Mr Ng, who did not want to comment futher on the legal question. He said MSD had been couteous throughout the affair. If prosecuted, Mr Ng could have faced up to two years' jail.

Ng launches own inquiry

Blogger Keith Ng is gatecrashing a Ministry of Social Development (MSD) security report briefing this morning.

LATEST: Deloitte investigation into MSD security breach 'damning' RAW DATA: The Review

Mr Ng told NBR ONLINE he has also fired off a series of Official Information Act (OIA) requests in a bid to learn how blogger Cameron Slater got information about the scandal so quickly, and who tipped off Herald journalist Claire Trevett about the identity of his source (Urewera 17 member Ira Bailey).

To that end, he has sent OIAs to the MSD, the Prime Minister’s office and Social Development Minister Paula Bennett’s office asking for all correspondence each has had with Mr Slater and Ms Trevett.

The blogger said he found Ms Bennett's comment to NBR (“To the best of my knowledge no one in my office spoke to media about Mr Bailey prior to Keith Ng releasing his name on his blog") vague compared to the MSD's categoric denial.

Mr Ng has also requested a copy of the Dimension Data report from last year that raised security concerns about MSD public computer kiosks, which were subsequently not addressed.

10am media briefing by MSD boss
Yesterday afternoon, the ministry invited various media to a 10am press conference in Wellington, with a 9am lockdown briefing ahead of it.

Mr Ng, who writes for Russell Brown’s Public Address, was not on the list.

"I'm gatecrashing," he told NBR as he made his way to the Bowen St briefing. [UPDATE: He was allowed in.]

The briefing will be co-presented by MSD chief executive Brendan Boyle, who sits on the independent inquiry’s steering committee, and Deloitte chairman Murray Jack, who is leading the investigation.

The pair will update on the first phase of the Deloitte investigation, which focused on the kiosk security breach uncovered by Mr Bailey, and first reported by Mr Ng. 

A second phase of inquiry will look at the MSD's broader network, and corporate culture.

More by Chris Keall

Comments and questions

Surely it should say "blogger and Editor of Truth"

what does the public expect - you start restructuring and pull out enough capability from underneath the public sector and of course things break...

time to sack these 'professional service' companies and take govt services inhouse.
enuff budgetry smokes and mirrors from mr english

cos its cheaper and we need to save money

The review showed that the external partner Dimension Data drew attention to the security issues which the government department ignored. Sounds to me like it was the "inhouse" team you are lauding which was the problem here.

Taking the govt services in- house does NOT guarantee better security . This sounds like the age old argument of outsourcing vs in-house IT services !

Spoken like PSA trough-pig, and an anonymous coward

Anonymous #3, this was an error by the inhouse team. The external consultants (DimensionData) found the problems and told MSD about them, and MSD didn't fix them. I don't think we can blame this on anyone but MSD themselves.

There was a time in the 1970's - 2000 area when government computer systems were thoroughly specified, signed off, developed and then tested to the extreme.

Now, it seems, they are built from the hip, probably by analyst/programmers with dubious experience of the departments business, obviously not tested to any extent and here's the results for all to see.

To use the garage/car anology, testing requires that the vehicle be driven round the block, fast, slow, both ways, upside down, inside out, etc,etc, in other words testing to see if it can be broken.

Now, it appears that testing is turning the key on to see if the motor will start and that's it. Rather like Microsoft sending out Beta versions of new software for the public to test.

not exactly on topic, but i love the dire straits reference. good work.

not a mystery to me either...

Isn't it just amazing that people working at any place where the email address has .govt in it, there is never any accountability? Just more expenditure to waste time, taxpayer money, whilst the culprits figure out who else they can blame, organise another review, and bury everything in mountains of paper. Incompetence is no barrier to entry in the .govt world. No wonder it is still so unionised!