Small on MSD breach

November 5th, 2012 at 7:00 am by David Farrar

Vernon Small writes:

So four lowly ranked heads are on the block over the unforgivable security lapse at the Social Development Ministry.

As an interim step, it is a reasonable response to the “damning” Deloitte report, which found “woeful” failures at the ministry – and those are just the words of chief executive Brendan Boyle.

The legal rights of those workers – presumably middle IT management – are being handled with the required caution.

I’m not sure I’d call middle IT managers lowly ranked. We don’t know positions and names (and may never know), but IT Managers can be pretty well remunerated and quite senior.

But that still begs the question of whether it is a case of “the worker wot gets the blame” while the executives escape with their salaries and bonuses intact.

That will only be answered by a second report looking into the systems and culture at the ministry. But it will be extraordinary if all the failures are left resting on the shoulders at the bottom of the pile.

Among papers released yesterday was the ministry’s 2006 risk-management manual that makes clear where responsibility rests.

It is hard to see how “monthly discussions relating to risk management and mitigation” at deputy chief executive level or a rule that all risks be “documented, rated, managed and monitored in a comprehensive manner” by general managers allowed urgent risks picked up last year by Dimension Data to “drop off the radar”.

How could the risk presented by 700 public terminals, linked to the main servers, not be the responsibility of a senior manager somewhere in the system?

This is the point I also made yesterday. Unless the risk was never ever reported to senior management, I’d expect a senior manager such as the CIO to be accountable for not following up. But we don’t yet know the full details.

Meanwhile the ministry is doing itself no favours in the way it is advising those affected by the leak. Sure, Keith Ng and Ira Bailey, who accessed the data, pledged it went no further.

But the ministry cannot be certain there were no other privacy breaches. It is unclear who was behind a similar one on October 4, the day before Mr Bailey reportedly accessed the system.

Yet Mr Boyle said only 10 people, with the most sensitive privacy issues, would be told out of the 1432 whose data was accessed.

It is out of kilter that an agency that allowed such a major lapse should then arbitrate on how serious it was and who should be told. Those not informed include some facing benefit fraud investigations.

Mr Boyle seemed to think a public apology would suffice.

He should ponder Ms Shroff’s advice. “There’s been far too little focus on the fact that there are real people behind the information that government agencies hold.”

A fair point, but to be fair to this security vulnerability may have bene in place for 13 years. Arguably every client of WINZ in that time *may* have had some details about them accessed. I think it is unlikely, but I can understand why they are only individually going to those with the most sensitive information.

11 Responses to “Small on MSD breach”

  1. Lee C (2,987 comments) says:

    Looks like it’s time to circle the wagons and put the most expendable in the firing line (to mix metaphors) to me.

    If this has been going on for yeas it’s systemic – and the top people should be responsible for being asleep at the wheel while they drew their salaries all this time IMO…

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  2. hmmokrightitis (1,910 comments) says:

    The CIO’s head should roll, as should the head of infrastructure. A simple network / systems diagram would have highlighted the gaping hole, and for either of those two roles to either not have that, or to ignore what it was showing them is negligent.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  3. jims_whare (497 comments) says:

    may have bene in place for 13 years

    Gotta love the Freudian spelling error – much appropriate!

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  4. Mark (1,611 comments) says:

    Surely there must be some accountability further up the food chain when the report by Deloitte is apparently so damning. If all these decisions on system security are left to middle management then no wonder the system failed, it was on Autopilot from above.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  5. lastmanstanding (1,724 comments) says:

    If we had any real governance Bennett and Boyle would both go. But we dont. Instead a couple of middle management will be sacrificed to play to the crowds.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  6. alex (311 comments) says:

    Clearly the buck does not stop at Bennett. She’s starting to look pretty craven and desperate trying to avoid blame for this.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  7. Pete George (24,828 comments) says:

    alex – should all Ministers over the last thirteen years accept blame for this?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  8. Bill (19 comments) says:

    These imbedded Political Saboteurs in the Public Service have to be sacked if this country is ever to get ahead!

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  9. alex (311 comments) says:

    @PG – Don’t be stupid, Bennett has been in charge of MSD for four years now. That is easily long enough to get on top of the portfolio, which clearly she hasn’t.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  10. Viking2 (14,357 comments) says:

    HMMM. 15 years eh. well that goes right back to about the time slimy Maharey and his grubby little lieutenant from the PM’s office outrageously attacked the best CEO winz have ever had.
    Remember theat the grub was so tall he didn’t reach her breast height so had to get her to bend over so he could look.
    Pair of socialist arsewipes both. One now on another exorbitant salary whilst stuffing Massey. The to her seems to have disappeared in disgrace as he should. Sold his sole out to Clark. Doesn’t seem to have got him a place at the UN though.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  11. slijmbal (1,270 comments) says:

    Having some idea of the $ IT spend in MSD the chances of the CIO getting anywhere near any real understanding of the network set-up is negligble. He/She would spend most of his efforts trying to drive major initiatives and attempting to control costs. There would be a 2nd tier manager (sometimes 3rd tier for networks) responsible for this. He would receive a pretty penny and if less than $150K p.a. I would be surprised. There would also be probably a couple of senior network architects on $100-120K p.a. That group would be turfed out no question in any real organisation.

    And while the CIO probably wouldn’t have known the state of security it is so enormous a screw up he needs to fall on his sword. The CIO would probably be employable – not in any government agency, which is severely limiting in Wellington – so would probably have to move to Auckland or try and join a consultancy. The rest of them would probably need to go to Oz to get a job. The IT world is too small in NZ.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote