Freelance journalist Keith Ng accessed and downloaded thousands of files at two publicly available computer kiosks at Work and Income in Wellington.
(About 700 of the self-service kiosks were installed in Winz offices throughout New Zealand two years ago.) Some of the files accessed could have compromised the safety of vulnerable children, and included case notes with names of children in Child, Youth and Family homes and up for adoption, addresses of care homes, details of foster parents, details of children's medical prescriptions, and names of investigators and clients in fraud investigations.
There were also fears Canterbury Earthquake Recovery Authority information shared with the ministry might have been exposed.
The apologies were swift. Ministry of Social Development chief executive Brendan Boyle took immediate responsibility, saying "the buck stops with me" and admitted "it's embarrassing and unacceptable". Social Development Minister Paula Bennett apologised. Prime Minister John Key said the security flaw was a "huge problem" and the Government needed "to work out what caused it".
While the immediate launch of investigations into the incident, closure of the kiosks, admission of responsibility and apologies are welcome, serious and unsettling questions remain.
Issues around security, privacy, trust and responsibility are paramount for government departments and the public, given the highly personal and sensitive information that is held. The incident is concerning given other departmental privacy breaches, and the ministry's recent announcement of a shared computer database that will contain details of vulnerable children.
Ms Bennett's reassurances that "if anything, this has given us an early warning for our future systems" does not ease minds, given a beneficiary advocate advised the ministry of a flaw more than a year ago which led to an investigation and rebuild of the system; and further revelations an IT company tested the self-serve kiosks in April last year and identified issues of concern which appear not to have been acted on properly.
Assistant Privacy Commissioner Katrine Evans said the commission was very concerned: "Protecting personal information is a cornerstone of public trust in both government and business, particularly in the digital environment - and this is one of several recent incidents that show that agencies need to up their game."
Those incidents include a major ACC privacy breach last year, in which a spreadsheet containing details about more than 6000 clients was accidentally emailed to claimant and former National Party insider Bronwyn Pullar, and a privacy breach at the IRD last month in which personal details for almost 30 customers were accidentally released.
Of course, there are also ethical - and potential criminal - issues to be considered in this incident.
Whatever the intentions in this case, the results highlight a clear lack of security at the ministry.
What assurances can the public have about the safekeeping of sensitive information?
In August, in light of a report into the ACC breach, State Services Commissioner Iain Rennie said he was considering that "state-sector chief executives review their systems for handling private information".
In response to the latest breach, the Prime Minister called for a Government-wide review of online information, computer systems and security.
Such reviews are all well and good, but the public clearly needs to see evidence of change when it comes to safeguarding personal information.
It was revealed last month ACC had relaxed its new privacy rules for sensitive-claim clients - which were adopted in the wake of its breach and following an independent review of ACC and an inquiry by the Auditor-general - saying it had put other "special measures" in place around document transfer.
It is exactly that seemingly "relaxed" approach about which the public is wary. If trust cannot be restored and guaranteed, ministers, chief executives and ministry staff should be held accountable - with their jobs.
