David Fisher

David Fisher is a senior reporter for the NZ Herald.

Kiosk security problems identified early last year

Paula Bennett and Ministry of Social Development chief executive Brendon Boyle. Photo / Mark Mitchell
Paula Bennett and Ministry of Social Development chief executive Brendon Boyle. Photo / Mark Mitchell

The security review into problems at the public computer kiosks run by the Social Development ministry raised identical problems to those exposed by a blogger 18 months later.

Keith Ng's discovery of private information sitting on publicly-accessible hard drives was an almost exact match for the April 2011 report by a security company hired to find problems.

The security-assessment.com report found the connection between the corporate computers and public kiosks - planned for MSD offices across the country - was dangerous.

"This lack of separation means that the kiosk terminal has the same level of authority and access as corporate MSD employees."

It went on to say it created an "inherent level of risk as it could allow for a member of public to gain access to MSD network resources and services".

The advice sat in MSD for 18 months before Public Address blogger Keith Ng did exactly that - accessing 7300 items including highly personal information.

The type of information at risk was also revealed in the April 2011 security report. It raised concerns about medical information, drug testing results and recorded calls to MSD's helpdesk as being openly available.

It recommended taking "urgent" action to restrict access.

"A malicious user with access to the operating system of the kiosk is able to gain access to sensitive information kept with the MSD network including medical and drug test results," it stated.

The review into the problem, released three weeks ago, showed senior managers were not told about the problem.

The April 2011 report was ignored until Mr Ng revealed the holes in MSD's system.

Four staff are facing employment action. The next update in the review is expected next month.

Green co-leader Metiria Turei said she was concerned junior staff would be sacked when questions should be asked for senior managers. Ms Turei said "high-level management should be taking responsibility".

She said she was astounded MSD already had a copy of what Mr Ng had found - 18 months before he wrote it. She said the report was a match for his findings.

MSD chief executive Brendan Boyle said the employment investigations were being carried out as quickly as possible. He said the ministry was committed to following a "fair process".

The report into the security lapse was distributed in a bundle of documents when the security failure first emerged and has since re-emerged through the Official Information Act.

- NZ Herald

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on production bpcf03 at 28 Nov 2014 21:45:22 Processing Time: 524ms