The MSD computer breach

October 17th, 2012 at 9:00 am by David Farrar

Stuff reports:

Social Development Minister Paula Bennett says security of computer systems is an operational matter despite giving earlier assurances she would monitor it.

Few people who are not partisan would expect the Minister to somehow be over the details of computer systems in a massive ministry. The job of the Minister, like a Director, is to ask questions such as have you had a firm test your security etc. Bennett did not say (as no Minister would) that she would monitor computer security. She said:

“Whilst the ministry has a strong focus on reducing its national office numbers there are also substantial plans to automate frontline services for clients through the use of online and other IT solutions,” she wrote.

However there is no doubt the Govt gets damaged when ministries fail, and they are held ultimately accountable if they are not seen to respond strongly enough and give reassurance it won’t happen again.

Consultancy firm Deloitte has been appointed to conduct an independent investigation after blogger Keith Ng revealed he was able to access Ministry of Social Development servers through public kiosks in a Work and Income office.

chief executive Brendan Boyle yesterday admitted they had not have acted on earlier warnings about the system.

That is hugely concerning, and someone should be held accountable for that. Also as I had previously blogged, the investigation should not just be into the security breach, but also into why the kiosks were even connected to the main corporate network.

Tags: ,

29 Responses to “The MSD computer breach”

  1. Ross12 (1,484 comments) says:

    Boyle should “be gone by lunchtime”. Heads have to roll on this one and obviously Boyle’s should be first. If there is no accountability on this one then the Government will deserve all the criticism that follows.

    [DPF: Umm Boyle was only appointed a few months ago. I don’t know the management structure at MSD, but my expectation is that the CIO should offer to fall on his or her sword unless they are also a very recent appointment]

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  2. labrator (1,851 comments) says:

    why the kiosks were even connected to the main corporate network

    That really is the crux of it. There is actually no excuse for that other than incompetence. Security is about minimising your exposure and the easiest thing to do would’ve been to give these kiosks no exposure to any network unless absolutely required (and signed of as such by the CIO).

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  3. JeffW (327 comments) says:

    And “CEOs” like Boyle get paid at levels which match or perhaps exceed those in the private sector. Give me a break. They should be on $250K max, and with performance clauses that allow dismissal in cases such as these.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  4. fish_boy (152 comments) says:

    “…Few people who are not partisan would expect the Minister to somehow be over the details of computer systems in a massive ministry…”

    If she isn’t responsible, why does she draw such an obscene salary? Is her donut bill that high? So much for John Key’s “higher standards”.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  5. KiwiGreg (3,278 comments) says:

    LOL, I’m guessing when they were labour flunkies those salaries werent “obscene”.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  6. Mark (1,502 comments) says:

    DPF you have made some fair points but an issue such as this goes to the heart of Government credibility. If I cant trust them to keep my information safe what can I trust them with. It would be nice to dislocate the government from government department in terms of responsibility but the reality is the public will be less inclined to make that distinction. With the background of the ACC leaks not long past unless Paula Bennett and Key are seen to act swiftly and decisively on this this issue is likely to be damaging for National.

    “Also as I had previously blogged, the investigation should not just be into the security breach, but also into why the kiosks were even connected to the main corporate network”

    Again a fair point but it does not seem to go far enough. The security architecture should also have limits on accessability between divisions within MSD so that only those who need access to particular information can access it. From what we have read this is an open access system once you are in. Even in my wee business that does not happen.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  7. RRM (10,099 comments) says:

    I noticed on Stuff yesterday evening Paula was saying HEY LOOK – IRA BAILEY FROM THE UREWERA RAIDS!… trying to deflect and even smear Ng as some sort of dodgy underworld ne-er-do-well, instead of getting on with HER JOB of fixing her Ministry’s pathetically incompetent fuck ups.

    Sadly that’s about what I expect from the Minister of Smearing and Discrediting Citizens who Criticise.

    Disappointing, because her child abuse work was looking so positive too, I thought maybe she’d turned a corner. But no, still vindictive little Paula…

    [DPF: You are very wrong. Bennett in fact explicitly said to the media that she thinks Bailey’s involvement is a sideshow, and not what is important. Off memory she has also said both men have done a public service exposing it]

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  8. scrubone (3,097 comments) says:

    This is basic, basic stuff. The question is not who gets fired, it’s who gets to stay.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  9. tvb (4,553 comments) says:

    There has been a serious management failure here. I think the SSC should examine this issue. Senior Managers will duck and weave and round up a middle manager to blame but responsibility starts at the top.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  10. Alan Johnstone (1,087 comments) says:

    I really just can’t my head around this one.

    I’ve been involved in some central government IT work, although not at MSD.

    The governance is normally very good, they have robust checks and very solid change management process.

    This design would have gone through at least 4 or 5 people for review / approval, before it went anywhere close to pilot let alone deployment. The chances that they all missed this is statistically close to zero.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  11. wreck1080 (3,999 comments) says:

    I bet the staff knew.

    Nothing annoys more than IT security. It sometimes blocks info you have legitimate requirements to access, and then you need to call the IT dude/dudette and plead for access.

    So, MSD staff would have had a backdoor to access all sorts of info not intended for their eyes. And, not even needing to call the IT person to view it.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  12. Ross12 (1,484 comments) says:

    OK DPF , I accept the point you make on my earlier post. But it is a test for Boyle and he needs to act quickly if he is going come out of it “clean”.

    Alan Johnstone @ 10.06 makes a great point. One would normally expect Govt. Depts to “dot the eyes and cross the Ts” more than the private sector ( afterall they are experts in covering their a…). With all the stuff ups lately a conspiracy theorist could have field day on all the possibilities.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  13. flipper (4,327 comments) says:

    JeffW
    Yep.
    In the US Federal employee salaries are limited/required by statute to BE LESS THAN THE SALARY PAID TO THE SPEAKER OF THE HoR.

    That woud be worth copying – no ifs, no buts, no exceptions. There would need to be compression between the chief clerks (aka CEOs)and those below, but NO state sector salary should exceed that limitation – unless their income is derived from commercial activities and they receive NO VOTE MONIES WHATSOEVER – period.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  14. lastmanstanding (1,310 comments) says:

    If government Minsiters were to be likened to directors in public companies then most of them would fail to keep their jobs. For the crap thats thrown at the private sector and public companies the standard of most directors is far superior to Ministers in any government. Most are there because they won a popularity contest.
    Would Paula Bennett be hired as a director of s public company. Give me a break.
    A handful of them would meet the test but most wouldnt.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  15. gump (1,682 comments) says:

    I expect they were connected to the network so that WINZ clients could browse online jobs and accommodation listings.

    Why they weren’t confined to a secure VPN is a mystery.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  16. fish_boy (152 comments) says:

    But in a letter to Finance Minister Bill English in February 2009, Mrs. Bennett said she would be monitoring progress of increased use of frontline information services – from stuff – http://www.stuff.co.nz/national/politics/7825312/Governments-approach-to-privacy-cavalier

    This would seem to make a lie of DPF’s claim “…Bennett did not say (as no Minister would) that she would monitor computer security…”

    In fact she basically said she would.

    So we have the minister promising – in writing no less – that she will personally monitor the progress of this Kiosk roll out.

    Mrs. BENNETT said she would personally monitor. Mrs. BENNETT is the responsible minister. Mrs. BENNETT is clearly where the the buck stops.

    The minister must resign.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  17. berend (1,690 comments) says:

    I’m just warning you anti-National types, don’t start whining about the 30,000 kids in a database that National is planning. Security there won’t be an operational detail obviously, but closely monitored by John Key himself.

    And don’t complain about a minister who wants to reduce offices and have more self service: the minister only sets the vision, if the MSD decides to act on that vision, that’s an entirely operational matter.

    And don’t whine about National now not looking like a better manager of the same services as Labour would provide. Labour would still be worse. And it’s all Helen Clark and Cullen’s fault.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  18. BeaB (2,164 comments) says:

    Another indication how hopeless most of our public servants are. They may not wear cardies any more but they haven’t changed much – except their salaries are enormous – thanks to a decade of featherbedding under Labour.

    We taxpayers deserve better and should support this government trying to give them a bloody good shake-up. They must drive ministers crazy.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  19. Kevin (960 comments) says:

    Why isnt anyone concerned about how and why Ira Bailey hacked the thing in the first place? Thats at least, if not more worrying. It was not a Joe Bloggs IT person that found this “security breach” it was a know activist with links to subversive organisations.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  20. labrator (1,851 comments) says:

    “monitoring progress of increased use of frontline information services” != “she would monitor computer security”

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  21. berend (1,690 comments) says:

    Kevin, he didn’t hack. He just clicked on File | Open.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  22. labrator (1,851 comments) says:

    Why isnt anyone concerned about how and why Ira Bailey hacked the thing in the first place? Thats at least, if not more worrying. It was not a Joe Bloggs IT person that found this “security breach” it was a know activist with links to subversive organisations.

    Because the how is very well known and the why doesn’t really matter. Prove he did something wrong with the information first.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  23. scrubone (3,097 comments) says:

    berend: exactly. “Hacking” implies that he did something that Joe Bloggs off the street would be unable to do.

    He didn’t.

    Ira Bailey is a comtemptable person, but he’s not the problem here. In fact, the real problem is that this was open for months, and only God knows what even more comtemptable persons did with it in the meantime.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  24. scrubone (3,097 comments) says:

    But in a letter to Finance Minister Bill English in February 2009, Mrs. Bennett said she would be monitoring progress of increased use of frontline information services – [snip ]This would seem to make a lie of DPF’s claim “…Bennett did not say (as no Minister would) that she would monitor computer security…”

    In fact she basically said she would.

    There is nothing in your quote that says she would monitor computer security, let alone to the level she would have to for this to be her responsiblity.

    Fail.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  25. Kevin (960 comments) says:

    Berend “yeah right”. The police should be investigating his invlovement but they’re off to their usual slow start because they dont want to upset the radical greenie demographic.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  26. tristanb (1,127 comments) says:

    Blaming Paula Bennett is like blaming the owner of the ODT for the paper boy kicking your dog (or murdering his family).

    One possible reason this happened:
    They probably put an idiot in charge of setting up the kiosks. The idiot gets a couple of computers, formats the hard drive to be safe. Because they don’t have access to appropriate files, the computers won’t load Microsoft Word. The idiot discovers than by enabling read/write access to the entire network his kiosks now works. He tests out explorer – works, tests out Word – it works too.

    He congratulates himself on a job well done, and goes back to doing his usual duties, oblivious to the massive mistake he has made.

    Someone is responsible for this mess. Firstly, the poor idiot computer tech who just wasn’t thinking that day. And really, if we’re paying CEOs of these organisations many hundreds of thousands of dollars to do a job someone could do equally as well for $80,000, then we might as well hold them responsible – as that’s the excuse given for the high salary. Then we fire them, and give them a golden handshake and a bonus.

    The other problem is that only very few people should have access to every single file. Not every computer administrator needs permission for every file on the MSD system. Maybe one or two do. If others need them, they can have temporary or partial access. This means that your newbie 24-year-old tech, getting the exciting job of setting up a kiosk system, isn’t going to be able to make such mistakes. It also means that malicious IT people who get a job aren’t going to have access to everything too, unless they make it to the position of lead IT guy.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  27. jonno1 (82 comments) says:

    Where’s Mordac, The Preventer of Information Services, when you need him?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  28. KevinH (1,253 comments) says:

    While job hunting a couple of years ago I used the WINZ job search kiosk computers and was surprised to find you could access WINZ files relatively easily, especially if you had a client number. However, unlike Keith Ng, I didn’t look at any confidential information and continued to use the kiosk for it’s job search function.
    To access confidential information you actually have to search for it once you have opened the file, this would be akin to taking someones mail from their letterbox and reading it which I personally wouldn’t do out of respect for that person’s privacy and also because it is unethical to do so.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  29. berend (1,690 comments) says:

    tristanb, the problem here is that this was a government contract. The money spend on this is probably a factor 10 of what a business would have paid. It’s just the usual government level competence. And I’m not blaming employees here, the system of government itself causes stuff ups like this. You cannot improve that.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote