An independent report into how private files held by the Ministry of Social Development were accessible through public computer kiosks at Work and Income offices has found security was not adequately considered in their design and implementation.
Ministry chief executive Brendan Boyle today said he was "gutted" and "sorry" about the breach after the Deloitte review concluded the ministry was first told about security flaws in April last year, six months before the kiosks opened.
Mr Boyle said 7300 files were accessed and 1432 people's privacy breached, but eight children and two adults had their privacy seriously breached.
"The breach was unacceptable, it was dealt with within hours and people will be held accountable. If we've got some gaps in our system, we have to close them," he said.
Among the flaws was an inability to separate the kiosks, used by jobseekers, from the ministry's main server.
The report found the ministry's consideration of security requirements during the design and implementation of the kiosks and its response to concerns identified during testing was inadequate.
It highlights that the ministry was again told of security risks in October 2011 by a beneficiary advocate invited to a training session.
Deloitte chairman Murray Jack said the report recommended new security measures if the kiosks were to be used again, including separating them from the main ministry server.
"Clearly separating the network either physically or logically does cost money," he said.
Mr Boyle said four employment investigations were launched as a result of the privacy breaches.
He said there were a range of reasons but the main one was whether staff "acted appropriately with the information they had".
"It never got to the level of seniority is should have reached."
Labour's Social Development spokeswoman Jacinda Ardern said security breaches at the ministry should not be dismissed by Social Development Minister Paula Bennett.
She said it was apt of Mr Boyle to call the lack of follow-up on the raising of security concerns "slack" and "sloppy".
"That's an apt description of Paula Bennett's handling of this fiasco."
She said it was unacceptable Ms Bennett has labelled the breach as an "operational issue" and that wider security issues had been dismissed as "human error".
Ms Ardern questioned the ministry's ability to launch a database for at-risk children and improve information sharing.
