Second Deloitte report into MSD security breach 'brutal' - Keith Ng

MSD chief executive Brendan Boyle

"Pretty brutal" is how blogger Keith Ng describes the Deloitte report on Phase II of its investigation into the Ministry of Social Development kiosk security breach.

Deloitte's Phase I report focused specifically on the MSD security gap first publicised by Mr Ng (public computer kiosks at WINZ allowing wide-ranging acccess to client and commerically-sensitive files on the ministry's network).

Phase II of the independent investigator's assessment looked at whether the breach was symptomatic of governance, cultural and technical problems across the MSD.

Privacy Commissioner: good - but when?
“The Deloitte report on MSD makes it very clear that there is a need for strong leadership by senior management on the way client information is handled within MSD,” said Privacy Commissioner Marie Shroff says.

Ms Shroff said she was pleased MSD had pledged to act on the reports recommendation. But she added pointedly, that she looked forward to a timeline.

Security czar 
The report notes that while the Government Communications Security Bureau (GCSB) and other agencies lay down information security guidelines, the MSD has no process to assess if they are being met.

In response, the ministry has pledged to appoint a chief information security officer, with recruitment to begin "within the next few weeks."

Chief executive Brendan Boyle says the person who fills the new role will be in charge of implementing the recommendation in Deloitte's two reports, and have ongoing responsibility for information security.

The Phase II report says no evidence was found of the securtiy breach identified by Mr Ng (and first identified by Ira Bailey) being exploited by others.

Only lip-service to information security
Mr Ng told NBR ONLINE, "The key findings [on pages 15 - 17 of the report in RAW DATA, below] clearly point to a governance problem."

Management wasn't thinking about information security, Mr Ng summarises. 

"There were no KPIs [key performance indicators] or organisation-level policies around information secuirty.

"They didn't have enough infosec people to service the whole organisation, and the visibility of their work was 'limited'.

"MSD's spin is focused on the fact that problems identified in the first report are not widespread. But those problems only existed because the governance at ministry never paid more than lip-service to information security," Mr Ng says.

Overall, he's relatively satisfied with the way things have turned out.

"It's a pretty brutal report, and I think it addresses the governance issues beyond the four employees who are under the gun," Mr Ng says.

Why nobody noticed the screw up
Mr Ng told NBR the first Deloitte report was honest and reasonable, but left the big question, Why was Dimension Data's April 2011 report on kiosk security holes ignored?

Did he feel it was answered by the independent investigator's second installment?

"Partly. We still don't know the details of what those four employees did, but I think the governance issues highlighted in the report explains why those guys screwed up, and why nobody noticed," Mr Ng says.

Following Deloitte's Phase I report, which criticised the MSD for ignoring a report by Dimension Data that ignored security problems with the kiosks, four ministry staff face employment investigations.

Yesterday, the ministry said findings from the Phase II report would be used in the ongoing investigations into the four staff.

The MSD said the two Deloitte reports had cost around $450,000.

A separate Internal Affairs investigation into all public-facing government computer systems continues. 

RAW DATA: Deloitte Phase II report (PDF)

7 · Got a question about this story? Leave it in Comments & Questions below.

This article is tagged with the following keywords. Find out more about MyNBR Tags

Post Comment

7 Comments & Questions

Commenter icon key: Subscriber Verified

Question that remains completely unanswered and a much bigger problem to address: Can any WINZ staff member access any invoice generated by a WINZ supplier country-wide? I'm totally baffled that access control segregration within the organisation is not publicly discussed at all.

  • 0
  • 0

No surprises here, where Ineptness and Inefficiency are in lockstep with one another. 'Brendey' needs to pack up his bags and get the hell outta Dodge.

  • 0
  • 0

Was Brendan Boyle the architect of the infamous 5 year New Zealand passport? In his time at Internal Affairs?

  • 0
  • 0

Most government emails say if this information is not for you send it back to the sender. I don't understand why everyone is making such a big deal. Hacking is illegal and hackers are breaking laws.

  • 0
  • 0

I guess MSD management are equally as wet behind the ears.

  • 0
  • 0

$0.45M to produce conclusions that any competent IT practitioner could have written ten minutes after hearing about this shambles. Never mind. Appropriate backsides protected and scapegoats found.

  • 0
  • 0

I think before Brendon Boyle writes patronising letters to clients of MSD he should learn his own job first before patronising people who really understand where MSD has it wrong and where they invent bullsh*t answers to covers their behinds. Time for him to go on a benefit with his boss Paula Bennett to see how the other half really lives.

  • 0
  • 0

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot


Sym Price Change
USD 0.6952 0.0000 0.00%
AUD 0.8901 0.0000 0.00%
EUR 0.5907 0.0000 0.00%
GBP 0.5276 0.0000 0.00%
HKD 5.4294 0.0000 0.00%
JPY 78.9230 0.0000 0.00%


Commodity Price Change Time
Gold Index 1278.6 -9.430 2017-10-20T00:
Oil Brent 57.8 0.550 2017-10-20T00:
Oil Nymex 51.9 0.580 2017-10-20T00:
Silver Index 17.0 -0.177 2017-10-20T00:


Symbol Open High Last %
NZX 50 8124.1 8142.3 8124.1 0.07%
NASDAQ 6633.4 6640.0 6605.1 0.36%
DAX 13057.8 13063.6 12990.1 0.01%
DJI 23205.2 23328.8 23163.0 0.71%
FTSE 7523.0 7560.0 7523.0 0.00%
HKSE 28360.0 28519.8 28159.1 1.17%
NI225 21391.0 21489.3 21448.5 0.04%
ASX 5896.1 5924.9 5896.1 0.17%