The kiosks aren’t really the problem here. The kiosks are how the public found out that MSD doesn’t seem to have any internal IT security.
Look at it this way: if you’re reading this at work and you try and access the folders or shared drive of your legal department, or HR department and you’re not a member of those groups, you won’t be able to. They’ll contain privileged information so they’re locked down. This level of security has been ubiquitous in corporate environments since the 1980s.
But not at MSD. If someone gets a temporary contract, or an entry level data-entry job at MSD they’ll still have access to all the private information Keith obtained through the kiosks.
Yes. This is the truly horrifying part. Either the kiosks were set up to use system administrator accounts to access the network (highly unlikely), or the network has no internal security being applied to it (which up until now I'd also have assumed was highly unlikely, but it's less unlikely than the first option).
This is a genuinely astonishing level of incompetence. Anyone capable of building MSD's network would be used to building in access controls because every other network on the planet uses them, so there's a suspicion here that someone high up in MSD's management made a policy decision not to control access. This some serious shit.
It's also a non-party-political issue, ie it could as easily have happened under a Labour govt - but it's worth noting that, as expected, Minister Bennett's response to this bad news was to release private data to try and discredit the people who reported the fuck-up. Classy as ever...