Unless you spent the latter half of this year in a cave, you will be aware that both ACC and the Ministry of Social Development suffered security and privacy incidents.
There are similarities in both events; independent reviews were commissioned and reports drafted attempting to discover root cause and recommend changes to prevent recurrence, both incidents were very public and reported, discussed and debated in the media, both incidents were to a large degree caused by failures in governance which resulted in an absence of risk management and most notably, both incidents were discovered and reported by members of the public.
What I think is interesting though are the differences between these cases (and the ’cause and effect’ confusion in the MSD report, but that’s another post…). In the ACC incident, information was mistakenly exposed to someone it shouldn’t have been. The information was sent via email and was limited to the details contained in the email and accompanying spreadsheet. In the MSD incident, information was mistakenly exposed to someone it shouldn’t because the connectivity from the kiosks exposed the internal network.
Technical details aside, the most telling difference was the way in which each organisation responded to notification of the breach. ACC took a long time to acknowledge the problem, begin a proper investigation and attempt to discover root cause and hence a solution to prevent further breach or expansion of the original problem. MSD reacted almost immediately once evidence of the incident was clear shutting down the kiosk equipment and launching an investigation.
Subsequently, it would seem that the ACC incident caused much greater fallout than the MSD incident despite (in my opinion) the MSD breach having much more potential for a sustained disclosure of data over a longer period of time with potentially more damaging consequences. This I believe was purely down to better incident response and the role of senior management in that response, which is a good lesson. Sh*t happens (note: this isn’t an excuse for negligence) but being prepared for it and responding to it in a controlled and planned manner is key to a faster, more efficient, less expensive and ultimately less damaging recovery.