Inquiry ordered into MSD data security

"VERY SIGNIFICANT MISTAKE":Ministry of Social Development chief executive Brendan Boyle, left, and Social Development Minister Paula Bennett.
"VERY SIGNIFICANT MISTAKE":Ministry of Social Development chief executive Brendan Boyle, left, and Social Development Minister Paula Bennett.

An independent security expert will conduct an inquiry into the security breach at the Ministry of Social Development.

Kiosks at a Wellington Winz office were shut down last night after Wellington freelance journalist Keith Ng reported on his blog that he was able to access thousands of files on the agency's servers from the computers in a Wellington Winz office.

Ministry of Social Development chief executive Brendan Boyle said the inquiry would look at the public kiosks which allowed access to private information.

"The right safeguards were not put in place around the Work and Income kiosks," Mr Boyle said.

The national accounting server was accessed by journalist Keith Ng and some invoices kept in the server had private information.

Mr Ng was also able to get into four other servers but was not access private information from them.

Boyle said he was grateful Ng was cooperating and would not release the information he had managed to obtain.

They could not be sure no other breaches had been made, Mr Boyle said, but the information acessed was not client files.

Once the MSD knew what information had been acessed, it could decide whether any clients needed to be advised.

The original claim of security breaches a year ago was "quite different" to the most recent breaches, Boyle said.

The issue raised a year ago was around internet protocols.

"The buck always stops with the chief executive," he said when asked who had responsibility.

KPMG were regularly engaged to conduct tests on the safety of MSD's systems and to attack them in a bid to highlight weak areas.

They had not found any issues.

Social Development Minister Paula Bennett said this breach pointed out that security around the new database for vulnerable children was paramount.

"None of this is acceptable to me, nor should it be to the public either," she said.

An experts group will be appointed to oversee security of the database and Bennett said it was a very different system.

"I will be making sure that every check and balance is put in around it."

Bennett said she still had confidence in Boyle.

"I consider this very serious, as does the chief executive.

"To me it says a very significant mistake was made."

Boyle said the department wanted to understand why this had happened and to prevent it from happening again.

Some of the information acessed would not have be openly avaliable to Work and Income staff.

MSD was contacted last week by someone with "vague" concerns about the safety of MSD's information.

Part of the review will look at whether there is an audit system in place to see where information was acessed.

The kiosks were built by internal staff and the information should never have been available, Boyle said.

The Dominion Post