Work and Income replaces public kiosks
The Social Development Ministry is replacing the public kiosks in Work and Income offices with a new system, after a major security breach was identified in October.
Chief executive Brendan Boyle said today that the ministry was talking to a supplier about installing new "client self-service workstations that will be completely separate from the Ministry's own IT systems and will replace the kiosks closed in October".
They would only go online once the ministry was satisfied with they were as secure as possible.
Meanwhile, a new report into the security breach has found that one of the three main causes of the breach existed across the ministry.
The Phase 2 report, by consultants Deloitte, found that there was no explicit requirement for all risks to be "escalated" to management by staff further down the chain.
"Consequently, this led to this primary cause being evident across the ministry," the report said.
The ministry had recently taken steps to ensure that those overseeing projects receive full registers of the risk, which together with heightened awareness of information security was expected to lessen the risk.
The report found the two other causes of the breach, disclosed by blogger Keith Ng after a tip-off, did not exists across the ministry.
Those were the failure to adequately design security into the public kiosks and the failure to follow up on a "penetration test" that had highlighted problems with security at the kiosks.
However Deloitte said security risks and security related activities need to be strengthened to give leadership a high degree of confidence that these factors would not emerge elsewhere in the ministry. Ministry head Brendan Boyle welcomed the report.
"While there are matters that need to be addressed, I am reassured that the Phase 2 Report has found those issues are not widespread across the Ministry. From the scope of the work Deloitte did, there was also no evidence found to suggest that there were other breaches of the Ministry's IT systems."
He said he had made it clear to his leadership team that the ministry was responsible for ensuring recommended improvements occur "and that the protection of client information is at the forefront of all decision-making".
A new role of chief information security officer would be created.
Boyle said of all the items downloaded during the October security breach, invoices relating to 10 individuals contained highly sensitive information.
"The ministry had spoken with all these individuals or people acting on their behalf (some are children) and is continuing to work with them to address their concerns."
It had also been contacted by about 100 people concerned that their information may have been accessed.
An employment investigation into four people, as a result of the security breach, was not yet complete.
Findings from the Phase 2 report would be used as part of this investigation.
The two reports into the security breach have cost $450,000.
"This is a significant sum, but we had to ensure we understood what had occurred and were in a position to take every possible step to prevent it happening again.
"New Zealanders we work with must have confidence we will keep their information secure," Boyle said.