The details of how Australian IT project manager John Denison managed to hack into the New Zealand Ministry of Health"s computer systems and transfer NZ$2.3 million (US$1.6 million) of Ministry money to a bank account he set up under a false name have been suppressed.
The suppression order was made at the request of the Ministry by Judge Robert Kerr, who on Oct. 15 sentenced Denison to three years" imprisonment.
Denison was hired to work on the claims processing side of the ministry"s meningococcal B immunization program. His fraud attempt was detected when laboratories that were due to receive the cash complained about not being paid.
Denison was arrested on Sept. 22 after being identified by health ministry healthPAC (payments and claims) general manager Jeannie Bathgate in videos from the ASB bank, where he"d set up the fake account.
Bathgate says the request to suppress how Denison accessed the system was made to prevent copycat actions and because it is "sensitive information".
Independent IT security consultant Nick FitzGerald, speaking in general terms and not in reference to the Denison case, says information about hacking attempts into computer systems could be beneficial if the hacking process was relatively simple and the systems were poorly designed and protected, in which case suppression may prevent copycat crimes.
However, "if there was a large degree of sophistication in what they did, it"s unlikely there would be copycat crimes," as few would have the skills to attempt a similar break-in, FitzGerald says.
Bathgate says the Ministry brought in accounting and IT consultants in to check the systems. Westpac Bank was also involved because the Ministry uses its Deskbank banking system, she says.
She adds that the fact the missing money was detected so quickly and transactions reversed shows the ministry"s financial reporting systems are robust, but on the question of why Denison was able to break in at all, responds "that an attempt was even made is an issue and we have moved, using internal and external expertise, to ensure that attempts of this kind will not be possible in the future."
The Ministry was required to provide a victim impact statement during the case and estimate the financial cost of the affair, which it put at NZ$50 to $80,000 in the statement.
Some "e-forensics" work is still being carried out, Bathgate says.
Denison also committed passport fraud by using a false passport as ID for the bank account.
The Accident Compensation Corporation, a previous employer, has looked into Denison"s time there, spokesman Fraser Folster says. "Our investigation is substantially finalized and there has been no fraudulent activity detected," he says.
Denison worked at ACC from June 2003 to April 2004 as a project manager.