Deloitte phase I investigation into MSD security breach 'damning'

An investigation into the social development ministry's recent security breaches has found initial concerns about its self-service kiosks were not looked into further.

READ ALSO: Ng: MSD report honest, reasonable - but leaves one big question

MSD chief executive Brendan Boyle has confirmed a number people will be held accountable for their action or inaction around the breaches. 

He says he has launched four employment investigations into staff "across the spectrum".

But he will not be commenting on them because the investigations need to run their course.

The MSD has revealed its first report into last month's breach of the kiosks.

Mr Boyle says the report is damning and details the ministry's failure to separate public kiosks from a network containing corporate files.

The report, carried out by Deloitte, came to a number of conclusions, including:

• The ministry's insufficient focus on security and privacy during design and build.
• The ministry's inadequate response to findings from security testing.
• The ministry's inadequate risk management and escalation within the IT organisation.

The report has also found there was an inadequate reponse to Kay Brereton's October 2011 concerns regarding the security of the kiosks:

• There were also four key weaknesses which enabled the security breach:The ability to map network drives was not restricted on the kiosk.
• There was a lack of separation between the kiosks and the ministry's corporate network.
• The kiosks operated as an authenticated user on the network, giving the kiosks a trusted level of privilege to the ministry's corporate information.
• Shares containing sensitive data on the network were not appropriately restricted.

The report found the breach would not have occured in the way it did if any one of these weaknesses had not existed.

Mr Boyle says of the 7307 items handed over and 1432 of them contained some personal information, such as a person's name or date of birth or other information.

Ten of those cases involve highly sensitive information.

Mr Boyle again apologised for the breach.

"I'm sorry, however I'm pleased to report the security breach has not been widespread.

"The investigation has confirmed there is no evidence to suggest the information has gone beyond blogger Keith Ng and his informant Ira Bailey."

Mr Bailey was one of the Urewera 17.

He admits the ministry failed to keep the information safe, but says the risk of harm is extremely low.

The report found initial security testing by Dimension Data detailed the lack of network separation and the existence of accessible network shares.

However, these concerns were not fixed, not were the findings escalated.

"If these two findings had been remediated, the security breach could not have occured in the manner it did," wrote the report's authors.

Deloitte has now begun phase two of its investigation into the effectiveness of the ministry's wider IT security. The report is due towards the end of the month.