Government's approach to privacy 'cavalier'
Social Development Minister Paula Bennett says security of computer systems is an operational matter despite giving earlier assurances she would monitor it.
Consultancy firm Deloitte has been appointed to conduct an independent investigation after blogger Keith Ng revealed he was able to access Ministry of Social Development servers through public kiosks in a Work and Income office.
MSD chief executive Brendan Boyle yesterday admitted they had not have acted on earlier warnings about the system.
State Services Commissioner Iain Rennie has asked Government Chief Information Officer Colin McDonald to undertake an urgent review of publicly-accessible systems operated by the state sector.
Mrs Bennett said the breach was not acceptable and was taken very seriously.
"I am extremely disappointed."
Mr Boyle, former Government Chief Information Officer with responsibility for providing strategic advice on information and communications technology, has apologised.
In Parliament yesterday Mrs Bennett said security of the system was an "operational matter".
However, in a letter to Finance Minister Bill English in February 2009, Mrs Bennett said she would be monitoring progress of increased use of frontline information services.
"Whilst the ministry has a strong focus on reducing its national office numbers there are also substantial plans to automate frontline services for clients through the use of online and other IT solutions," she wrote.
Labour MP Jacinda Ardern said the breach "points to a cavalier approach to privacy and to the protection of information by this Government and the buck has to stop somewhere."
MSD originally said the first it knew of the breach was when Ira Bailey contacted it recently.
Mr Bailey was arrested in October 2007 as part of the police raid against a suspected terror plot but the charges were dropped.
Last week Mr Bailey's LinkedIn profile was accessed by an adviser in Mrs Bennett's office.
Mr Ng has accused Mrs Bennett's office of leaking Mr Bailey's name to media, but she denied that yesterday. Aware on Monday night a media outlet had Mr Bailey's name, Mr Ng released it to other media.
Mr Bailey said he did not tell MSD the details of what he found because he thought the story needed to be told.
He checked on two different kiosks before ringing MSD.
After being put through to an answer machine and calling back again to leave a message, it took several days to get a return call.
"I decided that the story needed to be done, I didn't tell them on the spot, and that probably wasn't the best idea. Yeah, I guess, I'm sorry, it seems that I probably should have," he told Radio New Zealand.
But the breach was "mental" and gave access to everything with MSD's system.
"I couldn't believe it, my brain imploded really."
He said it took only two or three minutes to access the information and this made him worry about other government systems.
Mr Bailey took screen shots on his camera but did not take away any files.
Yesterday it was revealed MSD commissioned a $10,000 report from Dimension Data which highlight problems with the kiosks in mid-2011.
Mr Boyle said he was not confident the report's recommendations had been adequately followed up. "We will be asking Deloitte to determine what we did to follow up this report's recommendations and whether our response was adequate."
The matter was also raised by a beneficiary advocate about a year ago.
Green Party co-leader Metiria Turei suggested Mrs Bennett should take responsibility for "creating the cavalier attitude to privacy now evident within her office and her ministry".
Mrs Bennett has been criticised in the past for misusing private beneficiary information.
"How can New Zealanders trust her oversight of her ministry's privacy systems when she herself has revealed blatant disregard for privacy."