Tuesday, October 16, 2012

FFS again!

The WINZ privacy scandal just gets worse: it seems they were previously alerted to the security flaw not just by members of the public, but by their own security consultants:

The New Zealand ministry at the centre of the kiosk breach scandal has admitted it was warned of a potential security hole more than a year ago by systems integrator Dimension Data.

It was revealed yesterday that members of the public could access confidential documents from kiosks installed at the New Zealand Ministry of Social Development (MSD) welfare department, leaving data from multiple agencies, corporations and citizens wide open.

Despite yesterday claiming no hole had been found in DiData’s security testing, MSD today confirmed to CRN a report in April 2011 had identified flaws in its system, which the department ignored.

“Since yesterday afternoon I have received further information that means I am not confident that we took the right actions in response to Dimension Data’s recommendations on security,” CEO Brendan Boyle said in a statement.

I can understand WINZ ignoring warnings from members of the public, who they regard as the enemy. But their own security auditors? This takes muppetry to a totally new level, and heads need to roll for it.