A review of the government's procurement marketplace by KPMG identified numerous failings in the way an online catalogue was developed, contributing to security failings.
However, the report appears to redact any mention of the provider of the catalogue software, Serbia-based Bal Lab, which develops an app-store style product called Distribooted.
The catalogue function of the Department of Internal Affairs' marketplace was taken down at the end of April after an authorised user inadvertently accessed a subset of commercially sensitive information belonging to a rival supplier of construction services.
This was a new category on the platform, which already offered ICT professional services, managed services and public cloud services.
KPMG's report, posted yesterday, said a decision was made to release the Marketplace to production based on a "go-live" memo dated 24 September 2019.
This outlined a number of high risk defects and issues and acknowledged that these must be resolved before the Marketplace was released into production.
One of the high risk defects identified was the ability for suppliers to download an Excel file containing commercially sensitive information about other suppliers.
High risk defects were resolved before go-live, but this was not confirmed through testing prior to the construction consultancy services panel going live on 18 March 2020.
"Between go-live in 24 September 2019 and the launch of the construction consultancy services panel on 18 March 2020, there were three software releases (drops 13, 24 and 35) and thirteen hot-fixes," the report noted.
"One of these code releases to production resulted in a partial regression to a previous version of code that contained the defect that led to inappropriate access to supplier confidential information; we were unable to determine if the patch was overwritten or unapplied."
The defect-containing code was, therefore, reintroduced and released and user acceptance testing failed to identify it.
Additionally, "smoke testing" in production was not executed, as there was no service provider information available to test in the portal.
On 1 April 2020, MBIE verbally notified DIA of the data incident and details of how the event occurred. The same day, DIA and the external vendor were able to replicate the data incident event.
The Department then took the catalogue function offline, where it remains today. An interim catalogue system was stood up and remains in place to deliver the functionality.
The report identified a number of factors which directly contributed to the incident, outlined in a heavily redacted section titled "Data incident analysis and findings".
These included inadequate governance and programme management arrangements for the project in the department's Systems and Services Transformation (SST) branch.
"Policies. standards and practices related to testing, security, certification and accreditation were not in line with DIA policy as well as expected industry standards," the report said.
"Testing practices were immature; the defect that allowed the data incident was identified and resolved but did not form part of the testing prior to the Construction Consultancy Services Panel going live.
"A mature testing practice would have tested for all previously identified high risk defects."
Programme management and delivery of the Marketplace by SST branch was not adequate and did not follow DIA policies and standards, the report said.
Programme and project management practices were immature, given the nature and risk associated with the Marketplace development.
Change and release management practices were also immature and did not reflect industry and DIA standards.
"The level of governance and risk management over the project was not commensurate with its importance to the NZ procurement system," KPMG reported.
The Marketplace's security incident response standard operating procedure document was also found wanting.
Structural barriers were also identified, including limited integration of the SST branch within DIA which affected the adoption of wider DIA capabilities and policies. Inter-agency collaboration and governance was also not optimised.
KPMG identified a number of actions to mitigate the possibility and severity of future incidents.
These included enhanced external vendor management practices, consistent adoption of DIA standards and best practices and more use of DIA's existing internal IT function.
Improving coordination of incident responses and establish clear expectations and roles related to inter-agency collaboration and governance filled out the recommendations.
DIA said in a statement it sincerely regretted the issue and thanked people involved for their understanding.
"We accept all the findings in the review and have developed a comprehensive action plan focused on specific opportunities for improvement," a spokesperson said.
"We believe using platforms like Marketplace make procurement easier and less bureaucratic for suppliers and government agencies. We will continue to work hard to maintain confidence in the integrity of our systems and processes."
The interim Marketplace solution is growing with a total of 775 supplier listings across a range of catalogues.