OnPoint: #WTFMSD: "Damning"
68 Responses
First ←Older Page 1 2 3 Newer→ Last
-
Matthew Poole, in reply to
It’s more likely that the online records are backed up with the system data, rather than the reason for the backup of the system data
Which is what I was trying to say. They have to backup anything vaguely classified as records, and they have to backup systems. Since logs will fall into one of those categories over a short term, and it's much easier to develop a backup retention policy to support the most anal requirements that apply to your situation, the logs will almost certainly be available for much longer than just however long they're left sitting on a hard drive. And that's regardless of whether the logs themselves fall under the ambit of the PRA.
-
BenWilson, in reply to
rather different ethical/legal implications
Yup, technically. Practically, no one would ever know. If you decided to let them know, you could tell them that you only kept MD5s of the data for proof of existence purposes. You could even do exactly that, if you were a stickler.
-
Sacha, in reply to
no one would ever know
except oneself, grasshopper
-
Karen Adams, in reply to
But they do not if you include all paperwork submitted by beneficiaries. Seems to me that would be vaguely classified as a record. They have policies about what they scan in so not everything is kept (and hard copies are not always kept either).
-
BenWilson, in reply to
except oneself, grasshopper
Sure, although from a personal ethical point of view, you'd know:
1) The data was harmless
2) You had already seen it
3) You did not intend to use it, because of 1) and 2), for any other purpose than establishing whether incompetence was followed by cover up, which would actually be a good thing to know.ETA: It could also be a good thing for other people to know.
-
Ben,
What if "they" aren't as incompetent as you suspect, and they do indeed detect that you have more data than you admitted...
Then you could be in a pile of legal doo-doo...
-
Rich of Observationz, in reply to
There are a bunch of ways something could be escalated:
- at an extreme, a bearded, scrofulous sysadmin (for it would be he) could have entered a senior managers office and screamed at the person until he took steps to rectify the problem
- at another extreme, managers could have been extended a standing invite to daily stand-up meetings - and of course never attended
- the traditional approach would have been to send a memo or email cc'd to everyone the sender can think of. This might well provide effective blame transference. But that's unfashionable nowadays. -
BenWilson, in reply to
What if "they" aren't as incompetent as you suspect, and they do indeed detect that you have more data than you admitted...
The pile of legal doo-doo would be roughly the same as the pile involved in taking the documents that actually were sensitive, by the thousands. If they were going to come after you for anything, it would be that, not withholding non-sensitive information for the purposes of checking whether they cover incompetence with lies.
If they do detect it, then they'd probably also detect that the documents are not important, and I'd think they'd probably just proudly tell you they detected them, in the hope that you report that there are limits to their incompetence, and that they are not liars. Rather than antagonizing you in a story that's already extremely embarrassing to them.
Of course there always was a chance that they would just go for Keith, and he could have been completely ruined by this scoop.
Perhaps a more "safe" way of doing what I'm saying would have been for Keith to simply have deleted a random number of files from his stick*, then given it to them, saying "Here's all of it, and I deleted a random number of files. Now, you tell me what that random number is. If you can't then it's clear that not only have you left this open, but you can't tell how much of the data has been accessed". Then they could either take up the challenge or not, and the scoop would have just that little bit more information on the extent of the breach. If they could provide that random number, then everyone could feel just that little bit happier that these files haven't been got at by whosoever felt like it for over a year.
Hindsight - always 20/20.
*ETA OK, just to be safe, better would be to copy a random number of them to another stick, then hard-format the old stick, then smash it to pieces with a hammer, and give them both the new stick and the crumbs of the old one. Just so that they can't somehow go through the stick OS and find the deleted entries.
-
Putting in place and overseeing project risk and escalation processes is not the job of those at the bottom. Poor governance is a big problem throughout NZ organisations.
-
Keith Ng, in reply to
That looks pretty damned searchable to me, if one had a spot of inside info.
Those file names were from the case files server logs. The case file server itself was inaccessible. Most of my grabs were from the invoice server, which was unsorted and unnamed.
-
Keith Ng, in reply to
the traditional approach would have been to send a memo or email cc'd to everyone the sender can think of. This might well provide effective blame transference. But that's unfashionable nowadays.
Ass-covering CCing never goes out of fashion. In fact, I imagine lawyers for the four people under the gun are looking pretty goddamn hard for those emails right now.
-
Welcome to "Ringfenced MSD" and "Ringfenced WINZ"!
This is a hugely sick joke and scandal what is going on. So 4 junior staff members are to blame for it all, for supposed "sloppiness"? How many did warn them (MSD) over the last 2 years, and who was in charge? How above all did the problem start?
This stinks, it stinks, it smells really bad, and it is scandalous. Brendan Boyle and Bennett, same as their top management, they are all just covering up, protecting their possies and salaries. The whole system was set up in a totally flawed manner, then a beneficiary advocate AND the company that was involved in setting up the system, and last not least Bailey and others all warned MSD, and nobody took note and any action?
Of course it is bulls to say the data is only about 10 people. Then they also admitted the other day, it is better not to let the 1 thousand plus people know about them having been affected, as it would cause more harm than good.
This is a bit like the old "Eastern Bloc" kind of mentality and processes being followed at MSD. Or is it the mega corporate approach, covering up a scandal? Shut off, close every communications, hold well timed, brief, highly censored media conferences, cover up and blame the underlings for it all.
I have NO faith in this Ministry, the Minister, her lackey CEOs and how WINZ is run. Trouble is, this is causing a big embarrassment, right when Bennett and the government want to push trough highly controversial welfare reforms.
They do not want that being affected and mud stick on their skirts and trousers.
Dig deeper, dig up all the rot and crap from under there!
-
Marc C, in reply to
John - You are soo right! The same is happening at ACC. There was all this fuss about the privacy leaks, and Pullar going into a meeting with management to negotiate a settlement, while telling them she was sent sensitive info about so many hundreds or more other clients. Heads were rolling. But what else came out and was to some degree proved. They use hatchet doctors, getting paid hundreds of thousands a year, paid to travel all over NZ to do assessments and recommendations on difficult, complex clients that can cost ACC a lot.
Those medicals and rehab professionals were exactly the ones that were known to be on the hard line, and to give ACC the reports and recommendations they wanted. Now has there been much debate about this? No, not the mainstream media did dig into this much, some editorial in the NZ Herald even warning to not go too far in criticising ACC's policies to contain costs.
So all that has now gone under the radar again since September, and privacy, privacy, that is the usual topic.
It stinks, for sure, and poor journalism (being the victim of restructuring, cost saving and focus on mainstream, commercial interests) has something to answer to all this.
-
Computer terminals used for 13 years by job seekers at Work and Income offices had the same security flaw as the self-service kiosks at the centre of the major privacy breach at Winz.
But they're still quite certain there's been no privacy breach.
-
BenWilson, in reply to
But they're still quite certain there's been no privacy breach.
I thought they just had no evidence of it. It's on the public if they can't tell the difference between "No evidence of x" and "Evidence of no x". Ironically, since the term "conspiracy theory" came into existence, there's been a tendency to equate them.
-
TracyMac, in reply to
Yup, I'm still keen on wielding the good-old carefully-selected cc when necessary. People don't grump at you if you don't default to the scattershot approach.
As long as someone in your management chain or the organisation's Security group is included, you're covered. Especially in these days of email journalling and retention, which often means you don't need to keep it physically sitting in your inbox forever. (Although hanging onto that "problem" correspondence is never a bad idea.)
-
Sacha, in reply to
But they're still quite certain there's been no privacy breach
Bennett repeated that claim to Parliament in Question Time today when asked (in a Supplementary to Q5) about the comment on this thread by someone other than Keith or Ira about also having accessed the network through the kiosk flaw.
-
Post your response…
This topic is closed.