Keith Ng: MSD report honest, reasonable - but leaves one big question

UPDATE: Blogger Keith Ng has described the first phase one Deliotte report into Ministry of Social Development security breaches as "honest" and "reasonable."

But he says one big question remains: why.

That is, why the MSD ignored a Dimension Data report early last year, which flagged security issues with public computer kiosks (in its report, Deloitte notes that Beneficiary Advocacy Federation spokeswoman Kay Brereton also alerted the MSD to security issues with the kiosks in October 2011).

He notes that at his morning's briefing, MSD chief executive Brendan Boyle said cost wasn't an issue.

"But that doesn't leave us much to work with," Mr Ng told NBR ONLINE.

But although frustrated by the lingering question, the blogger said he appreciated the MSD could not address the "why" in detail while investigations into four staff are underway.

(The staff investigations were announced by Mr Boyle this morning as part of his wider 'damning' report.)

"Unfathomable" - Privacy Commissioner
This hard-hitting report – especially since it follows hard on the heels of the ACC report - shows just how far some of our major agencies have to go before we can be confident our information is protected," Privacy Commissioner Maria Shroff said.

“Basic IT security safeguards to protect personal information were missing, from the time the ‘kiosk’ system was built. And it’s unfathomable that the Ministry did not address Dimension Data’s revelations that sensitive personal information was exposed on network shares.

"The decision about how to handle such a serious problem should have been made at the highest levels of the business. This raises questions about the wider culture of handling information within MSD."

Looking at IT security is only one part of the picture, the Privacy Commissioner said.

"A complete mind-shift is needed in some quarters. There's been far too little focus on the fact that there are real people behind the information that government agencies hold. Those agencies need to develop and embed strong leadership, governance structures, policies and practices to manage personal information at every level of the organisation.

“The problems with the MSD kiosks are now evident. Whether there have been wider failures of leadership, policies and strategy about how personal information is handled within the Ministry is still to be seen. However, I expect the next stage of this review to ask some penetrating questions."

"True test" to come
Institute of IT Professionals NZ chief executive Paul Matthews told NBR, "The report makes clear that it should never have happened and if good project management and IT governance layers were in place, the lack of action when issues were highlighted wouldn't have occurred."

On the positive side, the ministery acted fast to identify and isolate the issue, commissioned independent reports into what happened and didn't try to hide the findings - even where damning, Mr Matthews said.

"And most importantly, have set the scope of the second report to look at the contribution of the surrounding cultural issues towards security and related matters, which we believe will need to change."

He summed up, "So a good response thus far, but the true test will be in what the ministry does about it," Mr Matthews said.

No prosecution
Separately, the MSD issued its first decisive statement on possible legal action against Mr Ng and his associate Ira Bailey.

"MSD does not intend to prosecute either of these two men," spokesman David Venables told NBR.

NBR relayed the news to Mr Ng, who did not want to comment futher on the legal question. He said MSD had been couteous throughout the affair. If prosecuted, Mr Ng could have faced up to two years' jail.

Ng launches own inquiry

Blogger Keith Ng is gatecrashing a Ministry of Social Development (MSD) security report briefing this morning.

LATEST: Deloitte investigation into MSD security breach 'damning' | RAW DATA: The Review

Mr Ng told NBR ONLINE he has also fired off a series of Official Information Act (OIA) requests in a bid to learn how blogger Cameron Slater got information about the scandal so quickly, and who tipped off Herald journalist Claire Trevett about the identity of his source (Urewera 17 member Ira Bailey).

To that end, he has sent OIAs to the MSD, the Prime Minister’s office and Social Development Minister Paula Bennett’s office asking for all correspondence each has had with Mr Slater and Ms Trevett.

The blogger said he found Ms Bennett's comment to NBR (“To the best of my knowledge no one in my office spoke to media about Mr Bailey prior to Keith Ng releasing his name on his blog") vague compared to the MSD's categoric denial.

Mr Ng has also requested a copy of the Dimension Data report from last year that raised security concerns about MSD public computer kiosks, which were subsequently not addressed.

10am media briefing by MSD boss
Yesterday afternoon, the ministry invited various media to a 10am press conference in Wellington, with a 9am lockdown briefing ahead of it.

Mr Ng, who writes for Russell Brown’s Public Address, was not on the list.

"I'm gatecrashing," he told NBR as he made his way to the Bowen St briefing. [UPDATE: He was allowed in.]

The briefing will be co-presented by MSD chief executive Brendan Boyle, who sits on the independent inquiry’s steering committee, and Deloitte chairman Murray Jack, who is leading the investigation.

The pair will update on the first phase of the Deloitte investigation, which focused on the kiosk security breach uncovered by Mr Bailey, and first reported by Mr Ng. 

A second phase of inquiry will look at the MSD's broader network, and corporate culture.

Follow @ChrisKeall

ckeall@nbr.co.nz