The Dim-Post

October 15, 2012

Open government

Filed under: Politics — danylmc @ 7:47 am

Kieth’s blog post on the IT security breach at MSD is here.

The top executive at MSD was paid about $600,000 last year, and these large salaries are constantly justified to us on the basis that they’re required to attract ‘world-class leadership’ to these organisations.

You’d think some of that cash would buy you a world-class leader who saw the ACC fiasco unfold, with privacy breaches, Ministerial sackings, board resignations etc, and think, ‘Hey – maybe we should check to make sure we’re not making the medical history and addresses of at-risk children available to everyone in the country.’ Apparently not.

The Herald has reaction from the department:

Ministry of Social Development deputy chief executive Marc Warner said last night an urgent investigation had started.

“We have closed all kiosks in all sites across the country to ensure no further information can be accessed,” he said in a statement.

“They will not be re-opened unless and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.”

The kiosks aren’t really the problem here. The kiosks are how the public found out that MSD doesn’t seem to have any internal IT security.

Look at it this way: if you’re reading this at work and you try and access the folders or shared drive of your legal department, or HR department and you’re not a member of those groups, you won’t be able to. They’ll contain privileged information so they’re locked down. This level of security has been ubiquitous in corporate environments since the 1980s.

But not at MSD. If someone gets a temporary contract, or an entry level data-entry job at MSD they’ll still have access to all the private information Keith obtained through the kiosks.

The Minister should probably sack her CEO over this, and the opposition will be fishing for any evidence that the Department asked for funding to improve IT security but got turned down.


  1. ” The Minister should probably sack her CEO over this… ”
    Ah…. I would have thought that a ministerial resignation as well. You point out.

    “….You’d think some of that cash would buy you a world-class leader who saw the ACC fiasco unfold, with privacy breaches, Ministerial sackings, board resignations etc, and think, ‘Hey – maybe we should check to make sure we’re not making the medical history and addresses of at-risk children available to everyone in the country.’ Apparently not.”

    Just saying.

    Comment by ihstewart — October 15, 2012 @ 8:26 am

  2. my favourite tweet –

    Stella Blake-Kelly ‏@_stella_bk

    How long until Paula releases @keith_ng’s student loan details? #WTFMSD

    Comment by Cnr Joe — October 15, 2012 @ 8:50 am

  3. Holy shit, it’s unbelieveable. Clusterfuck central doesn’t even come close. Terrific piece of journalism by Keith Ng.

    As an aside other than her refusal to seriously engage the role of poverty in child abuse I thought Paula Bennett was very sincere and persuasive in her Q+A interview yesterday. I guess reservations about information sharing as part of the initiative will now be properly addressed, hopefully not at the cost of the overall aim (which should be supported regardless of political hue).

    Comment by TerryB — October 15, 2012 @ 9:35 am

  4. “… I thought Paula Bennett was very sincere…”

    Fanatics are always sincere.

    Comment by Sanctuary — October 15, 2012 @ 9:38 am

  5. I refuse to read this news story as it was delivered by a “blogger”. I’m waiting for John Armstrong to give us proper journalism (after he’s been briefed).

    Comment by sammy 2.0 — October 15, 2012 @ 10:11 am

  6. Preliminary reports have shown that those responsible for network security just simply didn’t have the manpower to adequately complete the task properly.

    Steve Cardigan who leads up the team responsible said ” At the time we were carrying out this job the ammount of morning teas for people retiring or celebrating birthdays skyrocketed. Add that to the days of diversity training and the “how to be around small children and not come off like a paedo” classes, and we simply just didn’t have the time to do the job properly.”

    Comment by Thecoff — October 15, 2012 @ 10:20 am

  7. So, Brendan Boyle is the Chief Executive of MSD and immediately prior to this was the Government Chief Information Officer ‘responsible for developing and implementing the Government’s Information and Communications Technology (ICT) Strategy and for providing strategic advice on ICT matters.’ As he’s the guy behind implementing these WINZ kiosks, I have to wonder what other strategic advice he’s offered to whom?

    Comment by Lucy Bailey — October 15, 2012 @ 10:45 am

  8. We provide a few computers for walk-in users (ie, members of the public without logins for our network), and although we put plenty of effort into locking down the OS, we didn’t put any into locking down their access to the institution’s network because there’s no access to network resources except for specifically authorised accounts or account groups. If someone had been insane enough to set up our network so that all resources were available to all accounts, offering walk-in usage would be out of the question.

    As someone commented on the PA thread, there’s bound to be an arse-covering email from whomever was charged with setting up these kiosks, warning that public access ought to be out of the question. Further back than that, you’d think there’d also be arse-covering messages from whichever poor sods were ordered to build the network in such a way that the info stored on it is totally insecure. I can’t imagine anyone capable of building WINZ’s network would have told them it was OK to build it like that.

    Comment by Psycho Milt — October 15, 2012 @ 10:49 am

  9. “You’d think some of that cash would buy you a world-class leader who saw the ACC fiasco unfold and think…” Especially since it now seems WINZ were told about this more than a year ago. Apparently world class leadership only kicks in when the media take notice.

    Comment by Ivan — October 15, 2012 @ 1:32 pm

  10. I second what ihstewart said – Bennett should go for this. She should have seen the ACC screwup and asked why her ceo wasn’t reviewing MSD’s data & IT security.

    What Lucy B says above is staggering – if this joker Brendan Boyle was in charge of whole of govt IT security, then surely all departments & ministries should be doing urgent reviews on their IT systems? Even if it’s just to hire a bunch of hackers and ask them to see how they get on cracking into things?

    I don’t blame anyone in govt for not being IT savvy (except the IT guys!); I do blame Ministers and managers for not having good enough processes to check their paper and IT systems keep data secure.

    Like Idiot/Savant said – Paula’s list of at-risk kiddies is going to be a shopping mall for paedo’s… Still, nothing a smile & wave won’t fix, eh John?

    Comment by bob — October 15, 2012 @ 2:20 pm

  11. Tut tut. The CE, Brendan Boyle, will be given a well-deserved bonus for the work that he will do to “save” the vulnerable who have been compromised by a wicked blogger. Expect that Keith Ng will be charged with accessing private information even though he like any member of the public is encouraged to do so. Performance Bonus must sit on top of the $600,000 the CE gets, and should be tax free. So there!

    Comment by xianmac — October 15, 2012 @ 2:47 pm

  12. I’d sheet blame higher than the CEO of WINZ. The head of the SSC should have asked all CEOs to have a brief audit of IT security after the ACC fiasco and insisted on assurances that sensitive material was not at risk.

    Dang, this job is easy in hindsight.

    Comment by Paul Rowe — October 15, 2012 @ 2:56 pm

  13. No internal IT security? God help us all. I’ve never liked the kiosks anyway, just like I don’t really like ATM’s. What are all these organizations doing with all the revenue saved over the years by having only a minimum of staff due to these technological gizmos?

    I understand that some Work & Income offices mostly rely on these kiosks. It’s going to be a massive change and a massive cost for them, for the kiosks to be shut down.

    Comment by Dan — October 15, 2012 @ 5:31 pm

  14. It goes to show that ‘attracting international talent’ has turned out to be a cargo cult mirage. It also goes to show that those entrusted to be the gamekeepers are really poachers.

    Comment by deepred — October 15, 2012 @ 10:17 pm

  15. There’s a delightful irony here in that Bennet thought it right and proper that she could access and then release private information of WINZ “clients”, but now that the department seems to be doing it without her, she’s horrified.

    Comment by Teej — October 15, 2012 @ 11:20 pm

  16. You say “The kiosks are how the public found out that MSD doesn’t seem to have any internal IT security.”

    Really? Not any security? That is just rubbish and you know it. (hmm catchy – there is a song in that!)

    You know (i.e. are able to prove!) that anybody inside MSD could have accessed this information from their desktops? Or are you just guessing? Rest my case.

    Comment by lougou — October 19, 2012 @ 9:39 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: