OnPoint by Keith Ng


#WTFMSD: "Damning"

"Damning" was actually the word used in the MSD press release:

MSD Chief Executive Brendan Boyle says the report is damning around MSD's failure to separate public kiosks from a network containing corporate files.

And it is. The Dimension Data security review of the kiosks came out, and as expected, they were crystal bloody clear:

The most pressing security issue discovered is the lack of network separation of segregation within the environment... This introduces an inherent level of risk as it could allow for a member of the public to gain access to MSD network resources and services. Physical network separation is strongly recomended, and the current solution should not be deployed into a production environment before network separation is achieved.

The problem was listed as "Urgent".

So where are we now? Four "employment investigations" are under way. Boyle refused to say anything about these people, so we don't know their seniority or the nature of their roles. But he did make clear that the decisions didn't get escalated properly - i.e. Senior managers weren't involved. He also said that it simply "dropped off the radar" - that it wasn't a matter of cost-cutting, it was a matter of WTF.

So basically, there is no explanation of why they ignored DiData's report. Hopefully we'll find out more once those "employment investigations" are completed and the second phase of the report comes out.

MSD has also ring-fenced the breach: That although 1432 documents contained personal information, they only contained "highly-sensitive" information about 10 people. It's worth noting that many of those documents contained tens of names. I'd estimate that more than 10,000 individuals were identified in those documents.

Many of those would have been MSD contractors, with pay rates, hours etc. It's private, but not terribly sensitive. Reasonable people can disagree about whether that's a big deal or not. But other names, such as individuals being investigated by the Benefit Fraud Unit or the MSD Intelligence Unit, were also deemed not highly sensitive. That's a big call.

Full report here, via NBR.

UPDATE: Some speculation. The email to MSD from Kay Brereton (the beneficary advocate) describes the problem as:

...was able to access info which gave him the "names" of all the computers on the network

By the time the time it got to MSD, this was described as:

...was able to access the IP addresses (you will know better than I what this means) for all the PC's including staff PC's in the office

Printers were also mentioned.

The original description of the problem sounds exactly like being able to map network drives and seeing the names of all the computers on the network. And you can map network resources through the printer dialogue (let me know if I'm wrong about this).

UPDATE 2My understanding is that there's no audit trail to determine *who* accessed information, but that there *were* network logs. Boyle talked about not finding any "download patterns" - i.e. People leeching large volumes of data, like I did. That seems like a reasonable way to detect intrusion, unless it was someone who covered their own tracks (in which case no audit trail would help).

68 responses to this post

First ←Older Page 1 2 3 Newer→ Last