Call for change following latest Govt privacy breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://tvnz.co.nz/national-news/call-change-following-latest-govt-privacy-breach-5412122

An IT expert is calling for a change in government department culture
following an IRD email glitch that may have sent private,
tax-sensitive information to the wrong people.

The glitch yesterday afternoon saw 47 people incorrectly sent 182
emails when the 'to' and 'from' lines on a small number of messages
were automatically changed.

The IRD has stopped all incoming and outgoing email while it
investigates the cause of the glitch. Acting director Mike Hewetson
said he could not rule out the possibility that tax-sensitive
information was sent to the wrong people.

"It's a range of the general emails that the organisation produces so
some of those are personal and others of them would be private and
others may contain tax sensitive information but at this stage we just
don't know," he said.

"We do take privacy and secrecy really seriously, we're obviously
disappointed and we want to apologise."

Institute of IT Professionals chief executive Paul Matthews says there
needs to be a shift in culture within government departments.

"What's got to change is the people, and the culture and the way they
treat the confidential information," he said.

"These sort of things undermine public confidence in the system, so
they have to make absolutely sure they've got the systems and the
processes and the technology in place to protect people's data."

Matthews added that email is an insecure medium to send sensitive information.

"You shouldn't be sending anything via email that you wouldn't put on
the back of a postcard."

The minister responsible for IRD, Peter Dunne, said he was
disappointed with the situation but the department was making the
privacy and secrecy of taxpayer information its top priority.

It's the second time the department has been in the firing line. ONE
News revealed figures in October showing the privacy of more than
6,000 New Zealanders had been breached by IRD in the past year.

It also follows a number of other high profile government department
privacy breaches, including EQC, Work and Income and ACC.

It is not clear how long it will take to resolve the issue or when the
department's emails will be running again, but Dunne said he was
hopeful it would be sorted by Monday morning.

IRD deals with more than 100,000 emails every day.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.