NZ data breach ‘highlights need for information governance’

Blogger Keith Ng wrote earlier this week that he had been able to walk into one of the MSD’s Work and Income offices, and using one of its self-service kiosks was able to access thousands of sensitive files. The ministry has since launched an investigation.

Rob Sobers, from data governance software firm Varonis, blogged about the breach today and said information governance was much harder than people thought – “especially in an age where data is somewhat of a contagion, being created and replicated at such a staggering pace”.

He said there were two possibilities as to how the breach occurred – firstly, the kiosks were logged in with an ‘administrative account’ or secondly they were logged in with a ‘normal account’ but the file shares had incorrect permissions. Sobers said the second cause was very common and something that Varonis saw every week with organisations.

Sobers said the kiosks weren’t the issue and he has supplied some tips on how to address the root cause. These include locating exposed and sensitive data by using a data classification system; identifying and removing global access groups from access control lists; watching super users; and assigning and involving data owners.