3 Nov 2012

MSD staff 'to be held accountable' over breaches

2:53 pm on 3 November 2012

Four Ministry of Social Development staff are under an employment investigation after a review found they knew of the massive privacy risks with Work and Income kiosks but failed to report them.

The review by Deloitte found security issues were raised on a number of occasions, but said ministry staff underestimated the risk and did not alert anyone else.

It was revealed in October this year that private and sensitive information about clients could be readily accessed on the public kiosks.

Freelance journalist Keith Ng and IT specialist Ira Bailey exposed the lack of security surrounding the department's network by downloading thousands of files from two kiosks.

The kiosks were set up two years ago to allow Work and Income clients to search job listings, create CVs, apply for jobs and make appointments.

Ministry chief executive Brendan Boyle says the investigation found more than 1400 of the 7000 files accessed by the two men contained personal information such as clients' names and dates of birth. Highly sensitive files of eight children and two adults were also downloaded.

Mr Boyle says the report found some staff were aware of the critical security issues, but failed to follow them up or refer them on.

"It seems people woefully underestimated the risk of malicious attack. I want to make it clear that I am holding people accountable for this very serious breach of our corporate system. I have launched four employment investigations at this stage."

Keith Ng says another report could explain why staff did not alert management. He told Radio New Zealand's Checkpoint programme on Friday that report is due out which may explain how security issues are dealt with by staff at the ministry.

"How are these security issues routinely treated. Is there a cultural problem whereby security issues are ... not something that you considered important enough to bring up with your managers. I think that's stuff that we'll see coming out of phase two of the report."

Mr Ng says more information is needed on why staff did not alert management.

Beneficiary advocate Kay Brereton told Checkpoint she approached the Social Development Ministry several times about possible breaches with computer kiosks.

Ms Brereton says she advised it several times by email and telephone that the kiosks could be used to access names and addresses of other ministry computers.

"Privacy is an issue that we have been raising there for quite some time and it's definitely been an issue for the last five or so years."

She welcomes a further review into how the ministry deals with privacy.

Don't blame me, says Bennett

Social Development Paula Bennett says security breaches at her ministry are atrocious - but she can't be blamed for them.

The Labour and Green parties say Mrs Bennett needs to take responsibility for the problems.

Labour's social development spokesperson Jacinda Ardern says it seems the ministry is sloppy when it comes to privacy and security and Mrs Bennett has handled this latest matter the same way.

"We're asking her to change that attitude to demonstrate to the public that they can have confidence in her department. And, quite frankly, how dismissive she's been of this situation to date hasn't give people the confidence they need."

Green MP Jan Logie says Mrs Bennett promised to keep a close watch on the introduction of the kiosks.

"But the Deloitte report shows that in the final business case there wasn't even a discussion of security risks, so privacy wasn't on her agenda. If it's not on hers, it's not surprising it wasn't on the staff's agenda."

Ms Logie believes a culture of cutting costs at the ministry contributed to the privacy breaches.

Paula Bennett says she has high standards for the ministry, but it did not live up to them and she cannot be blamed for something she has no control over.

Funding not the problem - PM

Prime Minister John Key says he doesn't believe that funding at the ministry had anything to do with the security problems of the kiosks.

"I don't think it's because it's starved of investment. From what I can see in the report, it was at a fairly low level - they actually failed to kick that up the chain.

"There are a variety of different things that they can't explain, but the long and the short of it was, they knew what was going on. The ministry itself actually paid for the proper security report, but the just didn't carry it out."

Mr Key says the matter won't stop the Government's plans for having more interactions with the public carried out electronically - it just has to make sure security aspects are buttoned down.

Public Service Association national secretary Brenda Pilott doubts just four people were to blame saying there are clearly issues about the department's management of a particular project and its accountability and risk management systems.

Ms Pilott says one factor which may have played a role in the breach is the huge scale of IT projects being undertaken by the Government at the same time resources and staffing are being cut.