The Social Development Ministry is replacing its public kiosks in Work and Income offices with a new system, after the major security breach that was identified in October.
A new report into the breach, which gave the public access to sensitive welfare case notes, found that one of the three main causes existed throughout the ministry.
The Phase 2 report, by consultants Deloitte, found there was no explicit requirement at the ministry for all risks to be "escalated" to management by staff further down the chain.
Privacy Commissioner Marie Shroff yesterday weighed into the issue, criticising the ministry's approach to security, saying leadership needed to come from the top for things to change.
Privacy and security should be structured in from the start, she said.
"It's easy to forget that the ‘data' relates to real people - and that failing to look after that data can cause harm to those people," Ms Shroff said.
Meanwhile, ministry chief executive Brendan Boyle yesterday said it was talking to a supplier about installing new "client self-service workstations that will be completely separate from the ministry's own IT systems and will replace the kiosks closed in October".
They would go online only when the ministry was satisfied they were as secure as possible.
The report found the two other main causes of the security breach that allowed access to some of the ministry's private information, disclosed by blogger Keith Ng after a tip-off, did not exist throughout the ministry.
They were the failure to adequately design security into the public kiosks, and the failure to follow up on a "penetration test" that had highlighted problems with security at the kiosks.
Mr Boyle welcomed the report, saying that while there were matters that needed to be addressed, "I am reassured that the Phase 2 Report has found those issues are not widespread across the ministry".
A new role of chief information security officer would be created, in line with the report's recommendation.
Mr Boyle said of all the items downloaded during the October security breach, invoices relating to 10 individuals contained highly sensitive information.
Another 100 people concerned about their information had contacted the ministry.
An employment investigation into four people, as a result of the security breach and the failure to heed earlier warnings, was not yet complete. Findings from the Phase 2 report would be used as part of this investigation.
Mr Boyle said the two reports into the security breach had cost $450,000. "This is a significant sum, but we had to ensure we understood what had occurred and were in a position to take every possible step to prevent it happening again."
- © Fairfax NZ News