The Social Development Ministry ignored four recommendations which could have closed a massive hole in its security system.
Public kiosks in Work and Income offices were closed last month after blogger Keith Ng was able to access secure ministry servers through the terminals.
Earlier testing conducted by Dimension Data found six problems and made clear recommendations on rectifying them – but MSD acted on just two, a report on the matter conducted by Deloitte and made public yesterday said.
It said the ministry did nothing about the link between the kiosks and servers, which is how Mr Ng was able to access private information.
Chief executive Brendan Boyle said the issue "dropped off the radar".
Privacy Commissioner Marie Shroff slammed MSD's failure and put it on notice ahead of a second report on the matter due out later this month.
It was "unfathomable" the recommendations were ignored, she said.
"This raises questions about the wider culture of handling information within MSD."
Other recent breaches within the public sector showed "just how far some of our major agencies have to go".
Deloitte said Dimension Data's report was discussed at a meeting and logged on MSD's risk register but was never acted on.
MSD was also warned about the ability to access sensitive data from the kiosks.
"If these two findings had been remediated, the security breach could not have occurred," the report said.
Mr Boyle yesterday apologised and said he was "gutted" about the breach and MSD's failure to act.
"The paperwork, which was also seriously lacking, seems to show grossly inadequate follow-up."
MSD staff "woefully underestimated" the risk, he said.
"I am holding people accountable for this very serious breach of our corporate system."
Four employment investigations were under way but Mr Boyle would not say what positions the people held.
The report found MSD staff in the kiosk project and information technology security teams were aware of risks with the kiosks since 2009, but failed to notify senior management.
They were also alerted by the Dimension Date report in April 2011, beneficiary advocate Kay Brereton in October 2011 and Ira Bailey last month.
"These findings were not appropriately followed up, addressed or escalated for management visibility and action, which meant the risks remained substantially unaddressed," the report said.
Opposition MPs have called for Social Development Minister Paula Bennett to take responsibility for the series of errors within MSD.
Labour's Jacinda Ardern said it was more than an operational matter and there was no way the minister could hide.
But Mrs Bennett said she was not to blame.
"I cannot be held to blame for something I have no control over."
MSD had not lived up to public expectations and the kiosks were an "atrocious operation", she said.
Mr Boyle said staff would be contacting 10 of the 1432 people whose private information was accessed.
Those 10, including eight children, were assessed as having highly sensitive information held by MSD.
Other people would have to contact MSD to find out whether their private information had been accessed.
So far 68 people had done so.
The information included names, dates-of-birth and medical services used.
Mr Boyle said the risk of harm was low because of the limited information available and it was not distributed by Mr Ng or Mr Bailey.
He was confident no-one else had accessed the system but could not be sure.
- © Fairfax NZ News
How important is NZ's anti-nuclear policy to you?Related story: It's all good, just don't mention the nukes