Worksafe’s prosecution

March 3rd, 2015 at 9:00 am by David Farrar

Stuff reports:

WorkSafe NZ has laid a charge against the Ministry of Social Development over the shooting at its Ashburton office in September in which two Work and Income staff were killed and another was injured.

Russell John Tully, 48, allegedly murdered Work and Income employees Peg Noble and Susan Leigh Cleveland and seriously wounded Lindy Curtis, in a shooting at their Cass St office on September 1 last year. Tully is set to stand trial in May.

The charge, laid under the Health and Safety in Employment Act, alleges that the ministry failed to take all practicable steps to ensure the safety of its employees while at work.

I’m somewhat staggered by this decision. Holding an employer accountable for the actions of a killer who stormed into their offices with a gun, seems repugnant. If there was gross negligence on the actions of an employer, then I might expect a prosecution – say if they ignored repeated warnings.

We don’t know the details of why Worksafe is prosecuting, so have to hold off judgement until court. However I am worried this may represent a unfair shifting of responsibility.

Imagine the employer isn’t MSD, but a private employer. And bad enough that someone storms in and kills two staff, and terrifies the others. But a few months later you get told you’re being prosecuted for not keeping your staff safe enough. It would be devastating.

The threshold for prosecution should be high. No employer will be perfect, and short of turning every office in the country into an iron clad fortress, I don’t see how you can stop someone with a gun.

Now maybe there was some very basic stuff that MSD got wrong, that justifies legal action. I will reserve judgement until we see the case. But my initial instinct is that this may set a very low bar for prosecutions against future employers.

Tax and welfare debt

August 14th, 2013 at 2:00 pm by David Farrar

Laura Walters at Stuff reports:

Government agencies are more likely to write off unpaid tax than welfare debt, new research shows.

Victoria University accounting and commercial law associate professor Lisa Marriott’s research showed Inland Revenue was more likely to write off unpaid tax than the Ministry of Social Development (MSD) was to write off welfare debts.

So why might this be?

“There appears to be no basis for treating debtors to the two government agencies differently,” Marriott said.

I agree, but are they treated differently when different factors are accounted for?

Between July 1, 2011, and June 2012, Inland Revenue wrote off nearly 50 per cent of interest and penalties applied to overdue tax, amounting to $374 million.

It wrote off $435m in core debt, reflecting 11.6 per cent of collectable debt, the study showed.

MSD wrote off $8.7m in core debt, or 2.1 per cent of collectable debt.

The study showed that in the same period, the average value of outstanding tax debt was $14,479 per taxpayer in debt, while the average value of outstanding welfare debt was $2523 per beneficiary in debt.

And that is the key difference – the level of debt. The more debt that is owed, the less likely it is the person owing it can pay it. Those with high levels of debt can choose bankruptcy which means almost no debt gets paid. Hence you sometimes work out a compromise.

The research is interesting, but not conclusive. What would be more useful if an analysis of how much is written off by IRD and MSD for debts of a similar level. I doubt IRD writes off many debts when say just $1,000 is owed.

MSD would collect debts from beneficiaries’ payments, she said.

That may explain some of the difference also. IRD can’t just simply deduct tax owed from money it pays you. At best it can go to your bank or employer and ask them to do it.


Heads must roll

November 20th, 2012 at 4:00 pm by David Farrar

David Fisher at NZ Herald reports:

The security review into problems at the public computer kiosks run by the Social Development ministry raised identical problems to those exposed by a blogger 18 months later.

Keith Ng’s discovery of private information sitting on publicly-accessible hard drives was an almost exact match for the April 2011 report by a security company hired to find problems.

The report found the connection between the corporate computers and public kiosks – planned for MSD offices across the country – was dangerous.

“This lack of separation means that the kiosk terminal has the same level of authority and access as corporate MSD employees.”

It went on to say it created an “inherent level of risk as it could allow for a member of public to gain access to MSD network resources and services”. …

The type of information at risk was also revealed in the April 2011 security report. It raised concerns about medical information, drug testing results and recorded calls to MSD’s helpdesk as being openly available.

It recommended taking “urgent” action to restrict access.

“A malicious user with access to the operating system of the kiosk is able to gain access to sensitive information kept with the MSD network including medical and drug test results,” it stated.

The review into the problem, released three weeks ago, showed senior managers were not told about the problem.

The April 2011 report was ignored until Mr Ng revealed the holes in MSD’s system.

The staff who were aware of this report and did nothing, clearly must be goneburger – subject to natural justice.

But that does not mean more senior managers are exempt. They may not have known of the recommendations in the report, but were they aware of the fact a report was commissioned? Or were they totally in the dark as to the fact there had even been an issue with the kiosks?

And even if they were totally in the dark, then the question for the senior managers is whether they had a risk reporting framework in place, which required risks such as those identified in the security report to be recorded in a risk register which is reviewed by senior management. If they did not have a comprehensive risk reporting framework in place, then they should consider their own positions.

It is possible that MSD did have a comprehensive risk reporting and mitigation framework in place, and the four staff involved just ignored it. If that is the case, then liability may stop with those staff directly involved. We won’t know until the disciplinary processes are concluded and the full report on what nothing happened is released.


Small on MSD breach

November 5th, 2012 at 7:00 am by David Farrar

Vernon Small writes:

So four lowly ranked heads are on the block over the unforgivable security lapse at the Social Development Ministry.

As an interim step, it is a reasonable response to the “damning” Deloitte report, which found “woeful” failures at the ministry – and those are just the words of chief executive Brendan Boyle.

The legal rights of those workers – presumably middle IT management – are being handled with the required caution.

I’m not sure I’d call middle IT managers lowly ranked. We don’t know positions and names (and may never know), but IT Managers can be pretty well remunerated and quite senior.

But that still begs the question of whether it is a case of “the worker wot gets the blame” while the executives escape with their salaries and bonuses intact.

That will only be answered by a second report looking into the systems and culture at the ministry. But it will be extraordinary if all the failures are left resting on the shoulders at the bottom of the pile.

Among papers released yesterday was the ministry’s 2006 risk-management manual that makes clear where responsibility rests.

It is hard to see how “monthly discussions relating to risk management and mitigation” at deputy chief executive level or a rule that all risks be “documented, rated, managed and monitored in a comprehensive manner” by general managers allowed urgent risks picked up last year by Dimension Data to “drop off the radar”.

How could the risk presented by 700 public terminals, linked to the main servers, not be the responsibility of a senior manager somewhere in the system?

This is the point I also made yesterday. Unless the risk was never ever reported to senior management, I’d expect a senior manager such as the CIO to be accountable for not following up. But we don’t yet know the full details.

Meanwhile the ministry is doing itself no favours in the way it is advising those affected by the leak. Sure, Keith Ng and Ira Bailey, who accessed the data, pledged it went no further.

But the ministry cannot be certain there were no other privacy breaches. It is unclear who was behind a similar one on October 4, the day before Mr Bailey reportedly accessed the system.

Yet Mr Boyle said only 10 people, with the most sensitive privacy issues, would be told out of the 1432 whose data was accessed.

It is out of kilter that an agency that allowed such a major lapse should then arbitrate on how serious it was and who should be told. Those not informed include some facing benefit fraud investigations.

Mr Boyle seemed to think a public apology would suffice.

He should ponder Ms Shroff’s advice. “There’s been far too little focus on the fact that there are real people behind the information that government agencies hold.”

A fair point, but to be fair to MSD this security vulnerability may have bene in place for 13 years. Arguably every client of WINZ in that time *may* have had some details about them accessed. I think it is unlikely, but I can understand why they are only individually going to those with the most sensitive information.

The MSD computer system

November 4th, 2012 at 11:52 am by David Farrar

Keith Ng blogged on Friday on the MSD report into their security breach. He notes that MSD itself says the report is damning. He quotes the earlier report:

The most pressing security issue discovered is the lack of network separation of segregation within the environment… This introduces an inherent level of risk as it could allow for a member of the public to gain access to MSD network resources and services. Physical network separation is strongly recommended, and the current solution should not be deployed into a production environment before network separation is achieved.

This is the key. If you have them physically separate, then you solve almost all the issues. It is good that Dimension Data recommended this. The massive question for MSD is why this was not implemented.

So where are we now? Four “employment investigations” are under way. Boyle refused to say anything about these people, so we don’t know their seniority or the nature of their roles. But he did make clear that the decisions didn’t get escalated properly – i.e. Senior managers weren’t involved. He also said that it simply “dropped off the radar” – that it wasn’t a matter of cost-cutting, it was a matter of WTF.

So basically, there is no explanation of why they ignored DiData’s report. Hopefully we’ll find out more once those “employment investigations” are completed and the second phase of the report comes out.

Heads must roll for this. How high up it goes, will depend on the facts. I would make the point though that just because it wasn’t escalated to someone, doesn’t mean they are in the clear. The question should be whether a particular manager should have asked for a copy of the report and reviewed it themselves. I would expect senior managers in the IT area to be managing risk in this area, and to be maintaining a risk register. This should have been on it, and they should have been asking for reports on it. Now if underlings just neglected to enter this issue on the risk register, then maybe senior management not culpable. But if senior IT management were not running a risk register, then they face hard questions also.

NBR have the full report.

Also of interest is this Herald story:

Computer terminals used for 13 years by job seekers at Work and Income offices had the same security flaw as the self-service kiosks at the centre of the major privacy breach at Winz.

An independent report has revealed the computers used between 1998 and 2011 were also connected to Ministry of Social Development’s corporate computer network allowing access to private information.

13 years!!

The MSD computer breach

October 17th, 2012 at 9:00 am by David Farrar

Stuff reports:

Social Development Minister Paula Bennett says security of computer systems is an operational matter despite giving earlier assurances she would monitor it.

Few people who are not partisan would expect the Minister to somehow be over the details of computer systems in a massive ministry. The job of the Minister, like a Director, is to ask questions such as have you had a firm test your security etc. Bennett did not say (as no Minister would) that she would monitor computer security. She said:

“Whilst the ministry has a strong focus on reducing its national office numbers there are also substantial plans to automate frontline services for clients through the use of online and other IT solutions,” she wrote.

However there is no doubt the Govt gets damaged when ministries fail, and they are held ultimately accountable if they are not seen to respond strongly enough and give reassurance it won’t happen again.

Consultancy firm Deloitte has been appointed to conduct an independent investigation after blogger Keith Ng revealed he was able to access Ministry of Social Development servers through public kiosks in a Work and Income office.

MSD chief executive Brendan Boyle yesterday admitted they had not have acted on earlier warnings about the system.

That is hugely concerning, and someone should be held accountable for that. Also as I had previously blogged, the investigation should not just be into the security breach, but also into why the kiosks were even connected to the main corporate network.

Ira Bailey

October 16th, 2012 at 9:00 am by David Farrar

Keih Ng blogs:

The guy who tipped me off is Ira Bailey. He was one of the Urewera 17. He currently works as a system administrator, has a young child, and is not interested in being the media limelight. That’s why he asked for anonymity.

Mr Bailey is not interested in publicity? This must be a recent thing, as he has sought it in the past.

He did not have any special access to the system – he just had half an hour to kill at a WINZ office.

So Bailey says he just happened to be at a WINZ office, and was bored.

He plugged in his USB drive and it didn’t appear, so he had a poke around the system to find it – and found the giant vulnerability instead.

Yeah, I plug in USB drives to computer terminals all the time.

I should make very clear that I think Keith Ng has acted entirely properly and ethically. He go told of a security breach, he investigated it, he took evidence to prove it, he notified MSD and the Privacy Commissioner, he revealed the breach and handed all the data over to the Privacy Commissioner.

I also think Keith believes what Mr Bailey has told him. I’m just slightly more sceptical of the story that an experienced system admin just happens to be bored, at WINZ, and accidentally finds it. Especially when you consider what he then did.

He called MSD to ask if they had a reward system for reporting security vulnerabilities. This is not unusual practice, and it’s certainly not blackmail. Google and Facebook, for example, both pay for vulnerability reporting. It gives them a opportunity to close holes discretely, without causing embarrassment for their company.

Yes giant global tech companies have been known to have a reward system. I’ve never ever heard of a Govt Dept having such a system, and companies that do, tend to advertise the fact. I asked Keith if Baily asked for or suggested a specific amount, and he said no.

It is unfortunate Bailey thought his “accidental” half hour discovery was something MSD should pay for and did not do what Keith did, and just alert the Privacy Commissioner and publish what happened – either directly or via Keith.

MSD called Ira back two days later. They told Ira that they don’t pay for vulnerability reports. Ira told them he’d been talking to a journalist and the conversation didn’t go anywhere after that.

I’d be interested in details of that conversation. I’d also be interested in how after that MSD didn’t find the massive security hole. Whom was alerted to the request for payment?

Should he have reported the vulnerability, free of charge? Yeah, that would have been the selfless thing to do for the public good. But asking to be compensated for his troubles is not unreasonable, either. After all, it’s not as if the people MSD ended up relying on – KPMG – did it for free.

There is a difference between being asked to locate a vulnerability for a fee, and finding one and asking someone to pay you for it, or otherwise you’ll expose it in the media.

As I said I think Keith has acted entirely appropriately, and I’ve said so on radio – his actions has served the public interest. I’m reserving judgement on Bailey until I’ve heard more detail.

Ng reveals massive MSD privacy breach

October 15th, 2012 at 7:55 am by David Farrar

This is a must read story. Keith Ng details how you can access pretty much the entire MSD computer system through their public kiosks. We are talking sensitive details magnitudes worse than in the ACC privacy breach. We’re talking:

  • fraud investigations
  • invoices including all contractors (including their media trainers who will now be much needed)
  • details of candidates for adoptions
  • children in CYFS care
  • medical records
  • Debts owed to MSD
  • Full names of kids in their High and Complex Needs section
  • Names of kids in CYFS residential care
  • Phone bills that reveal physical addresses of CYFS homes
  • Bills from pharmacies that deatils which children get which medications
  • An invoices from a community group for whanau support after a suicide, with the full name of the deceased

Keith says:

  • Public kiosks should not have been connected to the corporate network.
  • Servers that didn’t need to be globally accessible should not have been globally accessible, even if they only contained innocuous data.
  • Invoices, file logs and call logs, at a place like MSD, should not have been treated as innocuous data. 

That is a minimum. I’d expect invoices to be username and password accessible only. But the first point is the key one – the kiosks should not be linked to the corporate network.

It goes beyond saying that there must be a full inquiry into this. I have to say that my expectationis there should be staff resignations over this. This is not like ACC where the privacy breach was a mistake – a file accidentally attached to an e-mail. Mistakes will always happen. This appears to be a case of fundamentally flawed decisions – such as connecting the kiosks to the corporate network.

I don’t know how long it has been this way, but it must change.

Keith is a freelance journalist. If you want to help fund the excellent work he has done in this area, you can donate to it here. I have.

Talking on insecure data, you should also read how Whale managed to change the advertisements on The Standard through an insecure adserver. Also not a good look.

A sensible move

September 6th, 2011 at 12:00 pm by David Farrar

Simon Collins at NZ Herald reports:

Housing NZ chief executive Dr Lesley McTurk has told the corporation’s 1100 staff that staff numbers will be cut by about 100 as the agency’s focus narrows down to managing its 70,000 state houses.

“We will no longer have a role to assist individuals with their wider social needs. We will concentrate on their accommodation needs,” she said.

Most tenancy managers will become “fully mobile” by next September, reporting from their cars to five home bases in central and South Auckland, Tauranga, Wellington and Christchurch.

Housing NZ should indeed focus on being a great landlord, not an agency of social workers.

Labour housing spokeswoman Moana Mackey said a Labour Government would reverse the changes and turn Housing NZ back into “a social housing provider rather than just another landlord”.

Of course.

But a consultation document issued to staff a week ago says the agency would “stop delivering social services that should be delivered by other organisations”.

“Tenancy managers and case managers frequently find themselves following up with many other agencies such as Child, Youth and Family [CYFS] on child safety concerns; district health boards on health; budget services; school truancy issues and so on,” the document says.

“The Ministry of Social Development [MSD] will act as a conduit for all other agencies that need to provide social support to the corporation’s tenants.”

Dr McTurk said all existing Housing NZ branches would be absorbed gradually into MSD’s “Community Link” centres, which already bring together Work and Income, CYFS and sometimes other agencies in 50 locations. A further 30 are planned in the next year.

And that is probably one of the best things you can do to help families in need. A “one stop shop” centre which brings all the social need agencies together should be vastly superior to having each agency doing its own thing.

Let Housing NZ be a great landlord, and MSD be a great  social service provider.

Community Max

February 16th, 2011 at 9:00 am by David Farrar

Stuff has a couple of stories on government funded community max schemes, where the outcomes have been very dubious – catching horses to release them again, and a Maori Internet business directory which is not online.

Personally I am dubious about many of these taxpayer funded community schemes. They can provide useful skills and experience to those who don’t have any, but they can also cost a lot of money and not produce much in the way of outcomes.

MSD say the majority of participants in the two examples above, have gained skills and are now off benefits. But paying $175,000 for a project (a Maori online business directory) that it seems wasn’t even needed (there are existing ones) is an expensive way to go about it.

Silly filters

November 4th, 2009 at 2:00 pm by David Farrar

The Dom Post reports:

The pornographic connotations of the word “teen” are stopping emails from reaching the government department responsible for youth issues.

The Social Development Ministry is blocking any emails with the word – or its plural, “teens” – from getting through, because it is often associated with advertising for online pornography.

But Labour deputy leader Annette King has labelled the firewall ridiculous, and called for the problem to be fixed.

The word is on a blacklist of terms blocked by the ministry, meaning that only email addresses on a “white list” can receive messages containing those words.

Annette is right – how stupid. Blacklists or filters based on words are almost always over-reaching. Smart anti-spam programmes look at a whole host of stuff to assign a probability something is spam.

Social Development Ministry chief information officer David Habershon said the word teen was blocked because it was often used in advertising for “adult websites”.

“We base our parameters in terms of the words that are on the blacklist based on best practice.”

He would not say what other words were blocked.

The ministry was “continually refining” its list, but had to seriously consider which words were acceptable, he said. “When we find examples of particular words which are legitimately used within certain business units we amend our systems accordingly. But in doing so, we have to weigh up the impact of removing a particular word against the benefits.”

I despair at the thought of departmental staff sitting down and deciding what words to block. Just use a “smart” anti-spam filter that learns as it goes.


March 4th, 2009 at 7:13 am by David Farrar

I blogged last month, re Victoria Stevens:

She managed to wrestle with Police after barking like a dog and swearing in front of the widow of the man her son is accussed of murdering.

So I am forced to wonder, what is the actual nature of the condition that meks her unable to work? After all, it took four police officers to subdue her, and she still manage to kick the court room doors open as they removed her.

I hope someone from MSD/WINZ takes note, and perhaps refers her to an independent doctor for confirmation of this mystery condition that makes her permanently unable to work.

The Dom Post reports today:

Mrs Stevens, 43, confirmed yesterday that she had been contacted by the Social Development Ministry and asked to make an appointment with an accredited doctor to prove she was eligible for a benefit.

She had spent years in an abusive relationship and suffered from arthritis, weak bones and emotional difficulties, she said.

She saw a Hastings doctor yesterday. “I don’t care what people think. It’s emotional and physical. That’s all I’m going to say.”

She would not say how long she had been a beneficiary.

Very impressive that she managed to wrestle four police officers despite her arthritis and weak bones.

Good to see MSD doing the right thing and referring her to an accredited Doctor.

A more efficient public sector

February 18th, 2009 at 10:38 am by David Farrar

Some people regard this as bad news:

The Ministry of Social Development aims to cut its staff of 9500 by 5 per cent (475) over the next four years by automating some processes and allowing people to apply for some benefits online.

I regard that as very good news.

If we want to lift wages for everyone, then you do it through productivity gains, and online automated processes are one of those ways. And a 5% reduction over four years is pretty modest – I doubt anyone will lose their job – just that some vacancies do not get filled.