Security weaknesses highlighted at Govt dept

Thursday 31 July 2008 22.22
Data Protection - Weaknesses at Dept
Data Protection - Weaknesses at Dept

An audit of the security of data at the Department of Social and Family Affairs has uncovered a number of weaknesses in systems and practises.

The audit was carried out in January by the Office of the Data Protection Commissioner after significant concerns about practises were highlighted by the ODPA and the media.

The large number of external agencies who have access to information held by the Department and the extent of information shared with these bodies was one of the main concerns outlined in the report.

The audit found that the exchange of some of this information was not secure.

For instance, it found that data exchanged between the Department and the Garda National Immigration Bureau was held on a CD with no encryption.

The report recommends that this practise should be immediately revised and that the Department should seek advice about the legal basis of sharing information with other bodies.

The audit also found that information on welfare payments that contained the personal and bank details of around 300,000 people was held on an spreadsheet that could be easily downloaded, emailed or transferred to an external storage device.

The Office said it regarded the amount of information on this document as excessive and that it should be immediately reviewed.

Security risk

It recommended that the unrestricted access to USB devices in the Department should also be addressed urgently.

The audit also raised concern about the storage of claims files that should have been held in a secure area but that were instead kept outside this area beside an elevator.

The report described this as a clear security risk.

Concerns were also raised about access staff working from home or off-site had to the Department’s system and about laptop security.

The audit also highlighted the problem of the use of generic passwords where users could not be identified and it said the process of resetting passwords was open to abuse.

It also highlighted significant failings in the logging and auditing of employees use of some systems, an issue that they described as of paramount importance.