And it's not just a breach. It's a complete lack of governance around access control of incredibly private data.
Let’s be clear here that this is not simply an IT issue – this is a governance failure that goes right to the top, implicating the CEO of MSD at the very least, if not ministers as well.
There are two possible scenarios here. Either the terminals are running as some administrative account with special privileges to access the entire network. Or there simple are no access controls. I think we can assume the latter.
So crucial sensitive data had no access controls. We’re not talking about shoddy access controls, which would be an IT issue. We are talking no access controls, meaning that at a policy level controls have never been instituted. Meaning that, even if by omission, a decision has been made that it’s okay for all MSD staff (and anyone else with access to MSDs network) to have access to all MSD information.
This is huge.