5 Jun 2013

Privacy review finds vulnerable agency IT systems

9:55 pm on 5 June 2013

Dozens of government agencies have no idea whether their websites or public kiosks are a security risk.

The widespread failing has been revealed in a review of 70 government departments and ministries that was able to identify 12 systems at risk because of insecure passwords, potential access by unauthorised users or being connected to internal networks. However, there was no evidence of privacy breaches.

State Services Commissioner Iain Rennie

State Services Commissioner Iain Rennie Photo: RNZ

KPMG investigated 215 publicly accessible computer systems and found 73% lacked formal security standards and had no formal risk management processes.

The offenders included the Ministries of Social Development, Education and Justice, as well as the Earthquake Commission and the MidCentral District Health Board.

The review - sparked by privacy breaches identified at Social Development Ministry kiosks in October 2012 - also found that many agencies could not provide documentation on whether or not there were vulnerabilities.

In 2010, the kiosks were set up to allow Work and Income clients to search job listings, create CVs, apply for jobs and make appointments. However, it was later discovered that private and sensitive information about clients could be readily accessed on them.

The Government Chief Information Officer, Colin MacDonald, said on Wednesday that all government agencies are now obliged to do complete risk reviews of their publicly accessible systems, but admits that more vulnerabilities could be found.

"Until those agencies do their detailed risk assessments, which is being completed within the next few months, there could still be vulnerabilities."

Mr MacDonald said there needs to be more oversight from senior management over privacy and security issues, which are often treated as a technical issue.

"We're relying too heavily on our IT professionals and our IT vendors. Many agencies need to make improvements in the way that they govern and oversee this activity and the state sector is working hard as a result of this review to lift its game."

Mr MacDonald said no one in the public or private sector can make an absolute assurance the public's information is safe and it has to be managed in the best possible way.

State Services Commissioner Iain Rennie would not comment on Wednesday over whether there are systemic failures within government agencies' information systems.

Asked if there are systemic problems with IT security, Mr Rennie said that the bar is being raised. He said he regrets the fact a catch-up is necessary to deal with privacy problems, as agencies have been using technology much more.

"Obviously with hindsight, we would have liked to have focused on this earlier. But now that we have had the incidents that we have, the challenge for us as a system is to up our game and to display a high degree of urgency around that task - and that is what I believe we're doing."

Mr Rennie said over the coming years the lessons learned about the publicly accessible systems would be applied across the wider government sector.

Room for improvement - PM

Prime Minister John Key said the review shows there is room for improvement and as more information is accessed from the Government there needs to be vigilance that the best systems are in place.

"I think it shows it's a fast evolving area with legacy systems where maybe not all of the right focus was placed on those systems at all times, but we are working to improve those dramatically."

Mr Key said more powers are being given to the Government Chief Information Officer.

Labour Party leader David Shearer said the review shows there are systemic failures in government agencies.

Mr Shearer said John Key, who received the KPMG report in December 2012, has misled the public about whether there are widespread problems. He said Mr Key told Parliament in March this year there were no such problems, and that privacy issues were only about human error.

Privacy Commissioner Marie Shroff said there are systemic weaknesses in the way privacy and security have been managed in the government sector.

"Cavalier is possibly a little strong. I think it's been largely overlooked, under-regarded, not taken seriously. And if that amounts to cavalier, yes the attitude has been somewhat cavalier."

Ms Shroff said the review is a wake-up call for government agencies and welcomes the recommendations to improve information security.