Small on MSD breach
Vernon Small writes:
So four lowly ranked heads are on the block over the unforgivable security lapse at the Social Development Ministry.
As an interim step, it is a reasonable response to the “damning” Deloitte report, which found “woeful” failures at the ministry – and those are just the words of chief executive Brendan Boyle.
The legal rights of those workers – presumably middle IT management – are being handled with the required caution.
I’m not sure I’d call middle IT managers lowly ranked. We don’t know positions and names (and may never know), but IT Managers can be pretty well remunerated and quite senior.
But that still begs the question of whether it is a case of “the worker wot gets the blame” while the executives escape with their salaries and bonuses intact.
That will only be answered by a second report looking into the systems and culture at the ministry. But it will be extraordinary if all the failures are left resting on the shoulders at the bottom of the pile.
Among papers released yesterday was the ministry’s 2006 risk-management manual that makes clear where responsibility rests.
It is hard to see how “monthly discussions relating to risk management and mitigation” at deputy chief executive level or a rule that all risks be “documented, rated, managed and monitored in a comprehensive manner” by general managers allowed urgent risks picked up last year by Dimension Data to “drop off the radar”.
How could the risk presented by 700 public terminals, linked to the main servers, not be the responsibility of a senior manager somewhere in the system?
This is the point I also made yesterday. Unless the risk was never ever reported to senior management, I’d expect a senior manager such as the CIO to be accountable for not following up. But we don’t yet know the full details.
Meanwhile the ministry is doing itself no favours in the way it is advising those affected by the leak. Sure, Keith Ng and Ira Bailey, who accessed the data, pledged it went no further.
But the ministry cannot be certain there were no other privacy breaches. It is unclear who was behind a similar one on October 4, the day before Mr Bailey reportedly accessed the system.
Yet Mr Boyle said only 10 people, with the most sensitive privacy issues, would be told out of the 1432 whose data was accessed.
It is out of kilter that an agency that allowed such a major lapse should then arbitrate on how serious it was and who should be told. Those not informed include some facing benefit fraud investigations.
Mr Boyle seemed to think a public apology would suffice.
He should ponder Ms Shroff’s advice. “There’s been far too little focus on the fact that there are real people behind the information that government agencies hold.”
A fair point, but to be fair to MSD this security vulnerability may have bene in place for 13 years. Arguably every client of WINZ in that time *may* have had some details about them accessed. I think it is unlikely, but I can understand why they are only individually going to those with the most sensitive information.