Whats new

Statement from Chief Executive Brendan Boyle - Work and Income Kiosk security breach

15 October 2012.

The Ministry of Social Development is calling in independent security experts to conduct an investigation into the serious security breach uncovered yesterday.

The Ministry of Social Development is calling in independent security experts to conduct an investigation into the serious security breach uncovered yesterday.

What has occurred is simply unacceptable.

An independent review is being initiated so I can understand how this happened and whether further action must be taken to safeguard client information.

The terms of reference for the review will be drafted within the next 48 hours and I’ve asked for an interim report to be completed within two weeks.

The investigation will initially examine the specific breaches around the kiosks. If this initial investigation shows we need a broader independent review into Ministry systems, this will also be commissioned.

I’m also establishing an internal taskforce to support the independent investigation and we will be in close contact with the Privacy Commissioner throughout.

At the same time KPMG will be brought in to carry out penetration testing of all our websites and systems over the next weeks.

The protection of client information is vital to maintaining public confidence in what we do.

As part of this we regularly contract KPMG and other IT experts to attack our sites to try to expose any vulnerability.

Regular reporting through these tests has shown that we operate a system that is generally considered to be robust.

Nevertheless it appears a relatively basic mistake has been made in this instance and the right safeguards were not put in place around the Work and Income kiosks.

Last night we took immediate steps to secure our systems. We have closed the kiosks down and locked exposed servers so staff can’t access them.

The Ministry has over 1500 servers

We have established that information in one server, the National Accounting Centre server which contains information held on invoices, was accessed.

Unfortunately some of these invoices contain private information about clients as part of the explanation for the invoice.

The journalist was also able to access the file names of a further four servers, but unable to get into those servers and look inside any of the files.

None of this information should have been able to be accessed, which is why I’ve ordered an independent review.

The journalist who has the information has given it to the Privacy Commissioner and given an assurance he will not place confidential client information in the public arena or give it to anyone else.

I’m grateful he has done this and is co-operating with agencies.

We have no reason to believe other people have separately accessed private information through our kiosks.

If however anyone has done so, I would strongly urge them to do the right thing and hand it over.

Last week we were contacted by an individual who made extremely vague claims about being able to access our systems.

While he wouldn’t provide any detail, we asked KPMG to begin penetration testing at that point and this testing will now be accelerated and intensified.

A beneficiary advocate has said today that she informed the Ministry over a year ago that Ministry information could be accessed through the kiosks.

This is accurate, but I understand that the information she was referring to was quite different and related to internet protocol information.

The system was rebuilt during this period and I’m still awaiting further information as to exactly what happened then in this regard.

I want to give the public an assurance that I’m taking this extremely seriously and that the Ministry will be held accountable.

Whats new
Print this page.