Book Reviews | Gordon Campbell | News Flashes | Scoop Features | Scoop Video | Strange & Bizarre | Search

 


MSD Breach: 'People Woefully Underestimated The Risk'

MSD Breach: 'People Woefully Underestimated The Risk'

Ministry of Social Development Privacy Breach Report Press Conference - 2 Nov 2012

Scoop Audio+Video+Photos

By Mark P. Williams

Today the Ministry of Social Development Chief Executive Brendan Boyle held a press conference on the investigation into the security breach identified in mid-October. He was accompanied by his chief legal advisor Mr Rupert Ablett-Hampson (right) and Deloitte Chairman Mr Murray Jack (left).

Mr Boyle took pains to emphasise that in this specific instance of the breach by Mr Bailey and Mr Ng there was relatively low risk because the information gathered was limited and had been handed back to the Ministry without being further disseminated. He added that Deloitte found that the information downloaded was "limited" and that "as PDF files" they were not able to be viewed on the kiosk and had to be downloaded but said that the fact of the breach indicated that there was significant failure on the part of the MSD.

Some7300 files were able to be downloaded; of this number, 1400 contained sensitive information, such as medical details and dates of birth. He said that there were 10 people whose information was judged to be "highly sensitive", eight children and two adults.

There were four main technical breaches which led to the security breach:


  • The ability to map network drives was not restricted on the kiosks

  • There was a lack of separation between the kiosks and the Ministry's core network;

  • The kiosks operated as an authenticated user of the network active directory domain

  • Some shares containing sensitive information within scanned copies of invoices were not appropriately restricted.

Mr Boyle said that the Deloitte investigation showed that MSD management "were never given the opportunity to assess the risk and take action to address it", and said that there were deficiencies in risk management policies. He added, "It seems people woefully underestimated the risk of a malicious attack." Mr Boyle said that he would be holding people accountable and was instituting four investigations. He then took questions from the press.

Keith Ng was also present and in addition to posing questions to Mr Boyle, and also took questions from the press after the press conference.

Questions

Mr Boyle was asked how far he would go in holding people accountable for the breach and whether it would extend to himself, and what sort of positions those being investigated were in. He said that he considered himself to be accountable for responding appropriately.

He was then asked what roles those being investigated were in. He responded that they were in a variety of roles. He was then pressed as to whether any of them were managers. He said that he was not prepared to give further information.

The press then asked what would happen when the kiosks had to go on line again. Mr Boyle said that for now the kiosks would remain offline but they would be looking into appropriate measures to undertake in order to bring them back online as safely as possible. He added that full network separation was an option they were considering.

Keith Ng asked whether any action would be taken regarding the information of the 1400 people which was considered sensitive. Mr Ablett-Hampson said that they would not be "proactively approaching each of those individuals".

Keith Ng then asked whether he could elaborate further on the distinction they draw between information that is "highly sensitive as opposed to not-highly-sensitive". Mr Ablett-Hampson responded that this was judge through a range of criteria based on how much information was contained in a particular item. He added that in the "highly sensitive" category included detailed information about personal circumstances contained within invoices.

Keith Ng then asked whether information as to whether someone owed money to the MSD or was being investigated for fraud would be considered "highly sensitive" under this definition. Mr Ablett-Hampson responded that it would be considered "personal information" but not "highly sensitive", adding that this would not get to the "top category".

Mr Ablett-Hampson was asked whether he had a duty to inform those 1400 people whose information had been compromised. He responded that they had a duty to "make an assessment of the extent of risk of harm" involved in informing people that their information had been compromised compared to what information had actually been accessed.

Mr Boyle was asked what he saw as the next phase and whether he had any doubts about having the budget to fill the gaps in security. He responded by saying that part of the problem was a lack of adequate assessment of the balance of costs to risks in the original assessment. He was then pressed further to say whether the original decision taken not to separate network access had been determined by resource allocation or cost. Mr Murray Jack commented that the expenses involved in network separation would not have been beyond the Ministry's capability and so this was not a factor in the decision-making process.

Mr Boyle was asked how he could be sure that no-one else might have accessed the information. He responded that there could be no guarantee, and that they would continue to investigate, but said had been no download pattern similar to that of Mr Ng and Mr Bailey and so they were confident that no-one else had accessed the information.

Mr Murray Jack was then asked about an occasion of information, similar to that accessed by Mr Ng and Mr Bailey, being accessed on the 5th October. He responded that neither Mr Ng nor Mr Bailey could be sure that this particular occasion was not also them (something Mr Ng confirmed).

After the questions to Mr Boyle ended Mr Ng commented to the press that he was concerned with how MSD chose to define "highly sensitive" information in respect to its system security and said that there was clearly a management issue involved.

*******

Press Conference

Click a link to play audio (or right-click to download) in either
MP3 format or in OGG format.

Comment from Keith Ng

Click a link to play audio (or right-click to download) in either
MP3 format or in OGG format.

*******


*******



Click for big version.

ENDS


© Scoop Media

 
 
 
 
 
Top Scoops Headlines

 

Gordon Campbell: On The Bernie Sanders Aftermath

Even as Bernie Sanders was celebrating his win yesterday in New Hampshire, the road ahead for the Sanderistas seemed as dark as ever. The notion that the Sanders victory has shaken the Democratic Party to its core and is causing furrowed, worried brows etc among the party mandarins is complete nonsense. More>>

ALSO:

Franklin Lamb From The Middle East: Social Control Is Emerging As ISIS (Da’ish) Motive

It is widely recognized that the damage done to our cultural heritage in Syria and to the heritage of those who will follow us, cannot be calculated... Heretofore, three varying but cogent explanations for ISIS’ rabid destruction of our shared cultural heritage have been commonplace. More>>

ALSO:

Gordon Campbell: On The Myopia Of The Business News

Listening to the business news is a bit like eavesdropping on the radio transmissions from space aliens. There is no discernible connection between the concerns of the captains of these space ships – the bank economists and the finance house spokesmen – and the concerns of ordinary listeners back on Planet Earth. More>>

ALSO:

Gordon Campbell: On Clinton, Sanders, Trump And Cruz

Come November, the world will have a new US president-elect and the least unlikely winner still looks to be Hillary Clinton. Right now though, the polls are showing a rocky stretch ahead for her in the immediate future. More>>

ALSO:

Binoy Kampmark: Sean Penn And El Chapo - Vanity, Hollywood And Reportage

Leaving aside Sean Penn’s personal history with drug use, let alone alleged efforts to get a slice of celebrity in portraying a drug lord, the furore surrounding his interview with El Chapo is instructive in a few respects. One is worth noting: the blind rage it has provoked with some US political figures and advocates who show how utterly lacking in understanding they are of their own liberal market system... More>>

ALSO:

Gordon Campbell: On Podemos, And Spain’s Election Stalemate

By hard grassroots effort, it convincingly rejected the fragmented, individualising forces that had shaped political life for the past few decades – instead, it organized its supporters on the basis of their common, communal experience via collective decision-making aimed at rolling back (a) the austerity-driven cutbacks in public services and (b) the home evictions of those unable to meet their mortgage payments. More>>

Binoy Kampmark: Merkel, Refugees And The Cologne Attacks

Huge pressure was already on Angela Merkel’s shoulders prior to the New Year celebrations. When it came in its waves of chaos on the eve, the security services in Cologne were found wanting. The police document from Cologne, leaked to Der Spiegel, speaks of chaos and lack of control. More>>

Get More From Scoop

 
 
 
 
 
 
 
Top Scoops
Search Scoop  
 
 
Powered by Vodafone
NZ independent news