Friday, November 02, 2012



Damning

That's how MSD Chief Executive Brendan Boyle describes the Deloittes review of the security of their kiosks. And it certainly is. Reading through the review [PDF], it appears that MSD were warned of the need to separate their kiosks from the rest of the network in the early design stages - and did nothing. They were warned of the vulnerability by their penetration testers - and did nothing. They were again notified of it in the early stages of rollout by a beneficiary advocate - but did nothing. This is a chain of such utter carelessness that it beggars belief. When given clear warning of severe problems with their system which compromise sensitive data, they simply shrug their shoulders and do nothing. The report attributes this to - of course - the earthquake, despite the timeline not supporting that. But the real problem here is with WINZ's toxic internal culture. Fundamentally, they just don't give a shit about the people they're meant to be serving. And the kiosk fuckup is a perfect display of that.

But apparently everything's all right now - the kiosks have been shut down, and there were no security breaches beyond those publicly reported. The latter is claimed even though the report makes it clear that the kiosks don't keep logs, so they have no idea what people did on them and whether there were security breaches or not. But the need to pretend that everything is fine wins out over honesty, even from "independent" (i.e. tell you what you want to hear) consultants such as Deloittes.

Apparently four employment processes are now underway. I'd expect another two for the Chief Executive and the Minister. They've jointly presided over a shambles which has fatally undermined confidence in the department. Both have to go for that confidence to be restored. until they do, the root problem - that toxic internal culture of just not giving a shit - will remain unaddressed.