Heads could roll over NZ ministry privacy breach

Several staff at New Zealand's ministry of social development (MSD) are likely to face disciplinary action, following the release of a Deloitte report into a massive privacy breach in October.

Brendan Boyle, the chief executive of the New Zealand ministry of social development (MSD),  described evidence from Deloitte's independent report as "damning".

"Insufficient work was done by the ministry to ensure appropriate security by the ministry to ensure appropriate security was placed around the protection of information at the time the kiosk infrastructure and services were designed and built," Boyle said in response to the report.

As a result of the first phase of the Deloitte report [pdf], the MSD will launch four "employment investigations" by an independent barrister. These investigations will hold people accountable for their conduct, Boyle said.

He did not say who would be investigated or what consequences they could face.

In October, blogger Keith Ng acted on a tip and found that self-service kiosks at Work and Income labour exchange offices allowed access to the MSD's internal network.

Ng captured around 400 megabyte of data, consisting mostly of invoices, on a USB stick which has now been returned.

Of the 7,300 items captured, 1,432 contained personal information, the MSD has noted. Invoices relating to eight children and two adults contained highly sensitive information, the ministry said.

Ng disputes this. He estimated that over 10,000 names were viewable.

The report found that there was no widespread privacy breach, and no evidence the breach went beyond Ng and his tipster, Ira Bailey.

Adam Boileau of Insomnia Security isn't so certain.

"Given that the Deloitte report quite clearly states that there was inadequate monitoring, lack of an audit trail and no alerting or notification, it brings into question the extent to which they can be sure about anything," he said.

"If you can’t build it right, you sure can't tell if it’s been abused."

Dimension Data subsidiary Security-Assessment conducted a penetration test on the kiosks in April 2011.

Boyle had initially denied that the penetration testing found any holes - but it has since been revealed that several critical security issues were ignored.

The most pressing issue, the report found, was the lack of network separation or segregation which could allow members of the public to access the MSD network resources and services.

Deloitte’s report says the security risks in the Dimension Data report were recognised, but their significance underestimated by the project team responsible for delivering the kiosk computers and the ministry’s IT security team.

The issues were not escalated or dealt with, the report said.

The computer kiosks were developed in 2009 as self-service devices for Work and Income clients, and ran Windows XP. People could use Microsoft Office software such as Word, Excel and Powerpoint to create curriculum vitaes and access the Internet for job searching.

However, unlike the previous "Worktrack PCs" which required manual log on with a generic username and password, the kiosks used auto logons and therefore did not record who used them and when.

Some 700 kiosks were deployed in 160 welfare offices around New Zealand since 2010 with no audit trail. Infosec consultant and risk analyst Matthew Poole has suggested the MSD network should be deemed fully compromised.