Editorial: MSD has lost public faith

16:00, Nov 04 2012

Atrocious damning, woeful. The language used by Social Development Minister Paula Bennett and her chief executive, Brendan Boyle, to describe the breach of security at Work and Income's self-help kiosks could not be more scathing.

And rightly so. The issues identified by the Deloitte review of the fiasco will give the public no confidence that the Social Development Ministry is a judicious guardian of the huge amounts of private information - much of it extremely personal - that it demands clients hand over. In an age when information technology has a key role in the delivery of modern public services, that impression must be urgently turned around if the ministry is to make full use of such advances.

The self-help kiosks installed in Work and Income offices last year were put in place to help clients search for jobs, prepare CVs and apply for positions. But for some reason yet to be adequately explained, they were connected to the ministry's main network, allowing anyone with a cursory knowledge of computers to tap into files containing highly sensitive information.

Blogger Keith Ng did exactly that last month after he was tipped off about the flaw by associate Ira Bailey. Mr Ng downloaded around 7300 items, more than 1400 of which contained personal information, including the names and dates of birth of people dealing with Work and Income and descriptions of the legal or medical services purchased on their behalf. Highly sensitive information relating to eight children and two adults was also downloaded.

The Deloitte report does not say what that was, but Mr Ng said in October he had downloaded invoices identifying children in care, beneficiaries being investigated for fraud, children with high and complex needs and the name of a person who had attempted suicide.

The error in connecting the kiosks to the ministry's main network was bad enough, but the ministry then failed to properly act on warnings from a company it hired to test the system for security flaws before it went live in October last year. In April 2011, Dimension Data highlighted six security issues that had to be addressed, including the need for network separation. That issue was considered by the IT team, but as Mr Boyle notes, "staff woefully underestimated the risk of a malicious attack". Worse still, those dealing with the warnings from Dimension Data failed to alert their managers to the issues raised, leading to proposed action slipping off the work programme altogether.

There is something badly wrong in the culture of an organisation when mission-critical problems such as those identified with the kiosks are not drawn to the attention of senior managers. To Mr Boyle's credit, the seriousness of the lapses has been acknowledged and acted upon, with four staff members now the subject of employment investigations.

That is not the end of the matter, however. It is now for Ms Bennett and Mr Boyle to make sure the public's faith in the Social Development Ministry's guardianship of private information is restored, and that the culture that led to such lax measures is changed.


The Dominion Post