SharePoint stuff-up fingered for MSD’s data exposure

A glitch in a temporary system used by the Ministry of Social Development to hold client data has been blamed on misconfiguration of permissions in Microsoft SharePoint.

The MSD had been working with a number of non-government agencies to collect data on individual clients, data that it stored in a temporary location with access restricted, in theory, to the NGO that had provided the information.

On 31 March 2017, the Ministry was made aware that one NGO had been able to see the folder containing client information from another NGO.

According to an independent review of the incident, “While no actual client data was exposed, this highlighted an issue with user access permissions of the temporary solution, which was reviewed in subsequent days by the Ministry. “

As a result, On 4 April 2017 all access for NGOs to the temporary solution was suspended and it was abandoned.

According to the review, the temporary solution, described as a shared workspace provided by the Department of Internal Affairs (OlA), used Microsoft SharePoint 2010, which by default, allows users to see everything within their workspace because it has been designed to be a collaboration tool.

“Permissions for users need to be selectively removed from their default settings to prevent users from viewing or accessing materials they are not meant to,” the report said.

“The 31 March incident occurred as a result of an error in user permissions allocation. In the second instance, while seeking to fix the problem, the Ministry had accidentally deleted its own user permissions and requested Datacom (the vendor managing the shared workspace for the OlA) to re-instate access to that library. … When the access was re-instated, all privileges to that particular library were restored, which then enabled all providers to view that library.”

The report added that, because the project needed a temporary technology solution quickly there had been “insufficient rigour in the selection of the temporary solution” and “the privacy impact assessment was done late in the project.” It said these factors had posed a level of risk not fully understood at the time.

The minister for social development, Anne Tolley, said she was extremely disappointed that the report had highlighted a number of areas of concern.

“While this occurred at a time when the Ministry was going through major organisational change, the report highlights that the project lacked the appropriate governance, project management processes, and dedicated project resource,” she said.

“The reviewers also found there was insufficient due diligence in the selection and implementation of the temporary IT solution. There was a lack of appropriate checks and testing to confirm the system’s readiness. Privacy considerations and security risks were not properly identified and mitigated in a timely manner.”

She concluded: “Some of these difficulties could have been mitigated if the team had used the experience and knowledge from within the Ministry and from other agencies. I have made it clear to the chief executive that I expect these lessons will be taken on board. Given previous IT issues, the Ministry should have overseen this project appropriately.”

She hinted that heads could roll as a result of the blunder, saying: “I understand that an employment investigation by the chief executive is now being undertaken as a result of the review.”

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.

Tags dataSharepointsecurity

More about DatacomDepartment of Internal AffairsMicrosoft

Show Comments
[]