Minister: Kiosks 'an atrocious operation'
KATE CHAPMAN, VERNON SMALL AND MICHAEL FIELD
The Social Development Minister is calling Work and Income kiosks, which sparked a report after they caused security breaches, "an atrocious operation''.
The report, conducted by Deloitte and released today, was commissioned after blogger Keith Ng discovered the ministry's secure servers were accessible through the public kiosks in Work and Income offices.
At the time it was revealed an independent report highlighted the risk with the kiosks in April last year and a beneficiary advocate had raised concerns last November.
Paula Bennett said today's report was damning and she was pleased ministry chief executive Brendan Boyle and the ministry were standing up and dealing with it.
She denied that she was passing the buck and rejected questions over whether she should resign.
"I cannot be held to blame for something I have no control over," she told media.
She said the ministry had not lived up to public expectations and she could not explain it.
"It seems incredulous to me."
Bennett said she had confidence that Boyle would remedy the problem.
"I have faith he will do the right thing."
She said she was personally "gutted" over what had happened and said she had been embarrassed by the "terrible mistake".
Kiosks would only be put back into operation when she was "110 per cent" certain they were safe.
Bennett would not comment on the employment issues involved in the report.
The report showed the Dimension Data report in April 2011 "clearly highlighted security issues that needed to be addressed including the lack of network separation".
"These findings were not appropriately followed up, addressed or escalated for management visibility and action which meant that the risks remained substantially unaddressed."
The significance of the risks was underestimated by the project team responsible for the kiosks and the ministry's information technology security team, the report found.
Ng, and associate Ira Bailey who alerted him to the breach, assisted with the report.
They handed over 7307 items downloaded from two kiosks.
More than 1430 of the items contained personal information, including "highly sensitive information" of 10 people.
The ministry had already begun contacting those affected.
Among the items accessed 533 were Christchurch Earthquake Recovery Authority invoices.
'GUTTED AND DISAPPOINTED'
Boyle said he was "gutted and disappointed" the agency had let people down.
"The report is damning around MSD's failure to separate public kiosks from a network containing corporate files."
A second Deloitte report would look at broader issues about the security of the ministry's information systems and the culture within the organisation.
That review was due to be completed later this month.
Meanwhile, a barrister was conducting four employment investigations.
"I can assure people that the employment investigations will be thorough and people will be held to account for their conduct," Boyle said.
Ng said the report showed there was definitely an issue with MSD's management.
The report identified downloading of information on October 4, but could not be sure who made the breach.
Ng said it could have been him or Bailey but they were not sure of their dates.
"We've told them, I said quite specifically, that we didn't know exactly when we did things it was just all a bit of a blur over that week and a half."
He uncovered information about people being investigated for fraud and details of those owing money to MSD.
But those people will not be contacted by MSD which is only contacting the 10 people, eight children and two adults, whose highly sensitive information was accessed.
Other people will have to ring MSD to find out whether they are one of the 1432 people whose information was accessed.
It was a good start to MSD's response but he found it strange the blame was being laid on four people, Ng said.
"All they've done is point the finger at these people, I guess we'll have to wait to find out what actually happen or why the actually made the decisions that they did."
'PASSING THE BUCK'
Meanwhile, Green MP Jan Logie said MSD was passing the buck by blaming the breach on four staff members.
"[Social Development Minister] Paula Bennett needs to step up and take responsibility for the disgraceful and repeated breaches of privacy by herself and her ministry."
Labour MP Jacinda Ardern said Bennett could no longer say this was an operational matter.
"The report not only slams the Ministry's insufficient focus on security and privacy during design and build, but also its inadequate risk management."
Public confidence in the department was not an operational matter, she said.
"There is no way she can hide from this."
- © Fairfax NZ News
Are you for or against the Trans-Pacific Partnership free trade agreement?Related story: TPP talks fail to reach agreement