Paula Bennett must take responsibility for privacy breaches at her Ministry

Since the massive privacy breach at the Ministry of Social Development was made public on Sunday 14th October, Social Development Minister Paula Bennett has consistently passed the buck and refused to accept responsibility for the total failure of leadership she has provided.

The release of the damning Deloitte Independent Review of Information Systems Security on November 2nd shows clearly that the breach cannot simply be blamed on individual error from the four MSD staffers currently facing employment investigations, and it identifies systemic issues for which responsibility lies at the feet of Minister Bennett and Chief Executive Brendan Boyle.

The report states that “[t]here is little evidence, at the design stage, of analysis of security and privacy risks, specification of requirements based on such analysis, and assessment of the solution design to ensure that requirements are met and risks are mitigated”. Considering the importance of the confidential information the Ministry holds on thousands of our most vulnerable citizens, this lack of consideration of privacy risks is a damning indictment on the culture at the Ministry, a culture created from the very top.

The report also found that “[t]he policy guidelines are silent on the escalation of risks that are not rated as ‘high’ or above” and that “the type of project documentation we would usually expect … does not appear to have been developed, maintained consistently and signed off”. This shift away from best practice is a clear failure of the Ministry’s leadership.

Minister Bennett cannot continue to shy away from taking responsibility. She must stop trying to shift the blame for her lack of leadership and the systemic issues present in her Ministry onto a few lowly staffers.

Under this National Government, the privacy of thousands of our citizens has repeatedly been breached, including the major breaches at ACC and MSD. New Zealanders deserve better.

4 thoughts on “Paula Bennett must take responsibility for privacy breaches at her Ministry

  1. As a person who has been a ‘client’ of WINZ, (on & off) I am concerned that my personal details(& thousands of others) could well be ‘in the public domain’ as a result of Ms. Bennett’s departmental bungeling. I agree it is not sufficient that she ‘just keep passing the buck’ to her staff.
    Ms. Bennett needs to follow Ms. Wilkinson & take responsibility for her failure as minister & RESIGN !

    Kia-ora Koutou Katoa

    Like or Dislike: Thumb up 0 Thumb down 2 (-2)

  2. Software design and policy would have been set somewhere in 1999. It hardly seems fair to hold Bennet to account for something that occurred under Labour.

    Like or Dislike: Thumb up 1 Thumb down 1 (0)

  3. The rulebook “Security in the Government Sector” makes it quite clear it is the Chief Exec who is ultimately responsible for security.

    There were (at least) two distinct issues relating to this breach, and as would be expected, most folks don’t differentiate.

    The first is a simple matter of security on shares, and clearly the system administrators who manage this fundamental and critical aspect of information security didn’t have a clue, making errors that are simply inexcusable. They should be fired, and should never work in IT again.

    Everyone who held the Dimension Data report and failed to forward it to the above-mentioned system administrators should also be fired. The cost to fix this most egregious error is zero, requiring just minutes of work.

    Had this error not been made, then even though the kiosks were not on a segregated network, it would have pretty much removed the possibility of the privacy breach, and this would have been a non-story. Although it is some way from best practice to have the kiosks on the main network, had the shares been secure then an attack would require significantly more skill than just waltzing up to a kiosk with a USB stick.

    I’ve worked in (UK) government information security, and it is clear that the entire organisation is light-years away from equivalent departments in the UK, and that there simply isn’t the same level of security governance. That is an issue that needs to be addressed. The building blocks and documentation framework is there, it just isn’t done in practice.

    Like or Dislike: Thumb up 0 Thumb down 1 (-1)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>