The New Zealand ministry at the centre of the kiosk breach scandal has admitted it was warned of a potential security hole more than a year ago by systems integrator Dimension Data.
It was revealed yesterday that members of the public could access confidential documents from kiosks installed at the New Zealand Ministry of Social Development (MSD) welfare department, leaving data from multiple agencies, corporations and citizens wide open.
Despite yesterday claiming no hole had been found in DiData’s security testing, MSD today confirmed to CRN a report in April 2011 had identified flaws in its system, which the department ignored.
“Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security,” CEO Brendan Boyle said in a statement.
MSD did not respond to request for further comment when contacted by CRN.
DiData did not confirm or deny to CRN whether it had warned the MSD of a potential hole, saying only it had presented a report of findings and recommendations and it was up to its client how to react to the report.
It declined to comment further.
The department has appointed an independent security firm to review its network security and its actions following DiData’s recommendations.
“We will be asking Deloitte to determine what we did to follow up this report’s recommendations and whether our response was adequate,” Boyle said. “I will look to the review to provide me with the answers.”
Security analyst and journalist Patrick Gray said the MSD’s decision not to act was a fundamental misunderstanding of the severity of the risk.
"The best security advice on the planet is useless unless it's acted upon," Gray told CRN. "It's always amazed me how critical vulnerabilities and deficiencies are signed off on by clients as 'acceptable risk'."
"They commissioned expert advice then ignored it. You'd be amazed how often this happens," Gray said.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
