Second Deloitte report into MSD security breach 'brutal' - Keith Ng

MSD chief executive Brendan Boyle

"Pretty brutal" is how blogger Keith Ng describes the Deloitte report on Phase II of its investigation into the Ministry of Social Development kiosk security breach.

Deloitte's Phase I report focused specifically on the MSD security gap first publicised by Mr Ng (public computer kiosks at WINZ allowing wide-ranging acccess to client and commerically-sensitive files on the ministry's network).

Phase II of the independent investigator's assessment looked at whether the breach was symptomatic of governance, cultural and technical problems across the MSD.

Privacy Commissioner: good - but when?
“The Deloitte report on MSD makes it very clear that there is a need for strong leadership by senior management on the way client information is handled within MSD,” said Privacy Commissioner Marie Shroff says.

Ms Shroff said she was pleased MSD had pledged to act on the reports recommendation. But she added pointedly, that she looked forward to a timeline.

Security czar 
The report notes that while the Government Communications Security Bureau (GCSB) and other agencies lay down information security guidelines, the MSD has no process to assess if they are being met.

In response, the ministry has pledged to appoint a chief information security officer, with recruitment to begin "within the next few weeks."

Chief executive Brendan Boyle says the person who fills the new role will be in charge of implementing the recommendation in Deloitte's two reports, and have ongoing responsibility for information security.

The Phase II report says no evidence was found of the securtiy breach identified by Mr Ng (and first identified by Ira Bailey) being exploited by others.

Only lip-service to information security
Mr Ng told NBR ONLINE, "The key findings [on pages 15 - 17 of the report in RAW DATA, below] clearly point to a governance problem."

Management wasn't thinking about information security, Mr Ng summarises. 

"There were no KPIs [key performance indicators] or organisation-level policies around information secuirty.

"They didn't have enough infosec people to service the whole organisation, and the visibility of their work was 'limited'.

"MSD's spin is focused on the fact that problems identified in the first report are not widespread. But those problems only existed because the governance at ministry never paid more than lip-service to information security," Mr Ng says.

Overall, he's relatively satisfied with the way things have turned out.

"It's a pretty brutal report, and I think it addresses the governance issues beyond the four employees who are under the gun," Mr Ng says.

Why nobody noticed the screw up
Mr Ng told NBR the first Deloitte report was honest and reasonable, but left the big question, Why was Dimension Data's April 2011 report on kiosk security holes ignored?

Did he feel it was answered by the independent investigator's second installment?

"Partly. We still don't know the details of what those four employees did, but I think the governance issues highlighted in the report explains why those guys screwed up, and why nobody noticed," Mr Ng says.

Following Deloitte's Phase I report, which criticised the MSD for ignoring a report by Dimension Data that ignored security problems with the kiosks, four ministry staff face employment investigations.

Yesterday, the ministry said findings from the Phase II report would be used in the ongoing investigations into the four staff.

The MSD said the two Deloitte reports had cost around $450,000.

A separate Internal Affairs investigation into all public-facing government computer systems continues. 

RAW DATA: Deloitte Phase II report (PDF)

ckeall@nbr.co.nz

This article is tagged with the following keywords. Find out more about My Tags

Post Comment

7 Comments & Questions

Commenter icon key: Subscriber Verified

Question that remains completely unanswered and a much bigger problem to address: Can any WINZ staff member access any invoice generated by a WINZ supplier country-wide? I'm totally baffled that access control segregration within the organisation is not publicly discussed at all.

Reply
Share

No surprises here, where Ineptness and Inefficiency are in lockstep with one another. 'Brendey' needs to pack up his bags and get the hell outta Dodge.

Reply
Share

Was Brendan Boyle the architect of the infamous 5 year New Zealand passport? In his time at Internal Affairs?

Reply
Share

Most government emails say if this information is not for you send it back to the sender. I don't understand why everyone is making such a big deal. Hacking is illegal and hackers are breaking laws.

Reply
Share

I guess MSD management are equally as wet behind the ears.

Reply
Share

$0.45M to produce conclusions that any competent IT practitioner could have written ten minutes after hearing about this shambles. Never mind. Appropriate backsides protected and scapegoats found.

Reply
Share

I think before Brendon Boyle writes patronising letters to clients of MSD he should learn his own job first before patronising people who really understand where MSD has it wrong and where they invent bullsh*t answers to covers their behinds. Time for him to go on a benefit with his boss Paula Bennett to see how the other half really lives.

Reply
Share

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot

Forex

Sym Price Change
USD 0.7884 0.0025 0.32%
AUD 0.9090 -0.0026 -0.29%
EUR 0.6366 0.0100 1.60%
GBP 0.5040 0.0030 0.60%
HKD 6.1168 0.0204 0.33%
JPY 92.8290 -0.1130 -0.12%

Commods

Commodity Price Change Time
Gold Index 1193.4 10.750 2014-11-20T00:
Oil Brent 78.7 -0.130 2014-11-20T00:
Oil Nymex 75.8 1.270 2014-11-20T00:
Silver Index 16.1 -0.150 2014-11-20T00:

Indices

Symbol Open High Last %
NZX 50 5526.9 5526.9 5522.1 -0.56%
NASDAQ 4751.0 4751.6 4701.9 0.46%
DAX 9521.2 9736.1 9484.0 2.62%
DJI 17721.0 17894.8 17719.0 0.51%
FTSE 6678.9 6773.1 6678.9 1.08%
HKSE 23353.7 23508.0 23349.6 0.37%
NI225 17285.7 17381.6 17300.9 0.33%