Warning from expert that Ministry of Social Development computers had a flaw may not have been acted on.

The head of the Government's IT programmes has been tasked with an urgent stocktake of all its public computer systems as the Government scrambles to limit the damage caused by the privacy breach at Work and Income.

And the Ministry of Social Development has revealed it was warned 18 months ago about a hole in the security of its computer kiosks by computer firm Dimension Data.

Social Development Minister Paula Bennett confirmed the issue Dimension Data reported in April 2011 was the same as that revealed by blogger Keith Ng this week after he was able to download thousands of invoices and call-logs containing personal details from the public kiosks.

That testing of the system cost $10,215 and MSD chief executive Brendon Boyle yesterday said he was no longer confident the department had responded to the findings properly.


He had earlier said that the testing did not identify the problem.

Mr Boyle yesterday announced that auditors Deloitte has been contracted to review of both the specific kiosk breach and the ministry's wider systems.

Last night, State Services Commissioner Iain Rennie announced that Colin McDonald, the Government's chief information officer, will urgently review all public service agencies to ensure computer security. He described the latest incident as "a serious breach of the trust New Zealanders place in their Government".

Opposition MPs forced a snap debate on the issue yesterday and Labour's Jacinda Ardern criticised the Government for a "cavalier attitude to privacy". She said Ms Bennett had undertaken in 2009 to monitor the roll-out of new technology including the kiosks closely. "Clearly she did not do that."

Ms Bennett said it was an operational issue she would not expect to be involved in. She also faced questions about Ira Bailey - the man who found out about the hole in the kiosk security and tipped off Mr Ng.

Mr Bailey contacted MSD last Monday and told them about a security issue, without specifying what it was, and asked if they paid incentives. Two days later he was told they would not pay and by that point he had contacted Mr Ng.

Ms Bennett said she first became aware Mr Bailey had reported a security problem last Wednesday, but the information provided was vague. She said the ministry had looked for any flaws at that point. "They just looked in the wrong place."

The reviews
Chief Information Officer

*Will lead a Government-wide review of all computer systems to ensure they are robust.


*Will look at the security of the Work and Income kiosks, including how supposedly secure information was accessed and how to prevent it happening again. Expected within a fortnight.

*Will investigate whether Ministry of Social Development acted on an April 2011 report into the kiosks.

*A broader look at security across all 200 IT systems within the Ministry of Social Development. Longer term.