Restoring trust is hard

19:57, Nov 04 2012

Some 700 self-service kiosks were closed in Work and Income offices and three inquiries were launched after blogger Keith Ng did what anyone with the know-how could do. He downloaded thousands of confidential files - some containing sensitive information about at-risk children - from a kiosk computer. The names of people being investigated by the benefit fraud unit and people owing money to the Social Development Ministry were there too.

The findings of one inquiry into what happened, released late last week, justifiably have been described as damning. Most obviously, the ministry failed in its duty to keep safe the information it stores on the people with whom it deals. The Deloitte inquiry report says, for starters, security was not adequately considered in the "kiosk" design and implementation.

Next, security issues identified through independent testing "were not appropriately addressed and followed up". These included the lack of network separation. And third, the significance of security risks highlighted during testing was underestimated by the project team responsible for delivering the "kiosk" computers and the ministry's IT security team. In short, the risk was not properly addressed.

Ministry chief executive Brendan Boyle, having said he was "gutted" and "sorry" that security of the corporate network was compromised, somewhat lamely has tried to mollify the public with a morsel of good news. He was "very pleased to report that there has not been a widespread privacy breach".

But because the kiosks don't keep logs, no-one can know the extent of any security breaches. Any limitation of the breaches was a consequence of good luck, not good management.

The ministry has an immense workload. Providing services to more than 1.1 million clients, it receives more than 230,000 calls a week and around 40,000 online applications a month.

Mr Boyle is attempting to restore lost trust by saying he is "holding people accountable" and four employment investigations are under way.

Privacy Commissioner Marie Shroff has raised questions about the wider culture of handling information within the ministry. Fixing a ministry culture demands a blood-letting that goes all the way to the top.