Kieth’s blog post on the IT security breach at MSD is here.
The top executive at MSD was paid about $600,000 last year, and these large salaries are constantly justified to us on the basis that they’re required to attract ‘world-class leadership’ to these organisations.
You’d think some of that cash would buy you a world-class leader who saw the ACC fiasco unfold, with privacy breaches, Ministerial sackings, board resignations etc, and think, ‘Hey – maybe we should check to make sure we’re not making the medical history and addresses of at-risk children available to everyone in the country.’ Apparently not.
The Herald has reaction from the department:
Ministry of Social Development deputy chief executive Marc Warner said last night an urgent investigation had started.
“We have closed all kiosks in all sites across the country to ensure no further information can be accessed,” he said in a statement.
“They will not be re-opened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.”
The kiosks aren’t really the problem here. The kiosks are how the public found out that MSD doesn’t seem to have any internal IT security.
Look at it this way: if you’re reading this at work and you try and access the folders or shared drive of your legal department, or HR department and you’re not a member of those groups, you won’t be able to. They’ll contain privileged information so they’re locked down. This level of security has been ubiquitous in corporate environments since the 1980s.
But not at MSD. If someone gets a temporary contract, or an entry level data-entry job at MSD they’ll still have access to all the private information Keith obtained through the kiosks.
The Minister should probably sack her CEO over this, and the opposition will be fishing for any evidence that the Department asked for funding to improve IT security but got turned down.