The MSD computer system
Keith Ng blogged on Friday on the MSD report into their security breach. He notes that MSD itself says the report is damning. He quotes the earlier report:
The most pressing security issue discovered is the lack of network separation of segregation within the environment… This introduces an inherent level of risk as it could allow for a member of the public to gain access to MSD network resources and services. Physical network separation is strongly recommended, and the current solution should not be deployed into a production environment before network separation is achieved.
This is the key. If you have them physically separate, then you solve almost all the issues. It is good that Dimension Data recommended this. The massive question for MSD is why this was not implemented.
So where are we now? Four “employment investigations” are under way. Boyle refused to say anything about these people, so we don’t know their seniority or the nature of their roles. But he did make clear that the decisions didn’t get escalated properly – i.e. Senior managers weren’t involved. He also said that it simply “dropped off the radar” – that it wasn’t a matter of cost-cutting, it was a matter of WTF.
So basically, there is no explanation of why they ignored DiData’s report. Hopefully we’ll find out more once those “employment investigations” are completed and the second phase of the report comes out.
Heads must roll for this. How high up it goes, will depend on the facts. I would make the point though that just because it wasn’t escalated to someone, doesn’t mean they are in the clear. The question should be whether a particular manager should have asked for a copy of the report and reviewed it themselves. I would expect senior managers in the IT area to be managing risk in this area, and to be maintaining a risk register. This should have been on it, and they should have been asking for reports on it. Now if underlings just neglected to enter this issue on the risk register, then maybe senior management not culpable. But if senior IT management were not running a risk register, then they face hard questions also.
NBR have the full report.
Also of interest is this Herald story:
Computer terminals used for 13 years by job seekers at Work and Income offices had the same security flaw as the self-service kiosks at the centre of the major privacy breach at Winz.
An independent report has revealed the computers used between 1998 and 2011 were also connected to Ministry of Social Development’s corporate computer network allowing access to private information.
13 years!!