A security report warning the Ministry of Social Development last year of potential failings in its WINZ kiosks has been released under the Official Information Act.
The OIA request was made by Josh Levent on fyi.org.nz - a site which facilitates public freedom of information requests. Levent asked MSD to release all documents relating to security assessments of its systems, although the much publicised Dimension Data report was released on 16 November, Levent says his request has not been met.
“Since I requested all reports containing a review of MSD Information Security in the past five years, am I to conclude that this is the only report relating to information security in the past five years in the entire Ministry?” writes Levent on fyi.org.nz.
Security-Assessment.com (SA), which is owned by Dimension Data, conducted a review of MSD’s public facing kiosks in April 2011.
It produced a report for the MSD later that month which highlighted the lack of separation between the public facing computers and the ministry’s corporate environment as a “critical” vulnerability.
SA recommended the immediate separation of the kiosks and network using a firewall appliance, and further minimising the interaction between the kiosks and MSD’s network.
This vulnerability was exploited by journalist Keith Ng, who was able to gain access to restricted files on MSD's network. It was later revealed that organisations which MSD has a shared IT services agreement with, like CERA and the Childrens Commissioner's Office, were also succeptible to having their files accessed.
MSD has not released any information on how many people were able to access these files in the months following the SA report.
Last month MSD CEO Brendan Boyle admitted the ministry was warned by Dimension Data of the security faults, and may have failed to act on that information.