KiwiNZ: [removed on request]
Really? freitasm, is KiwiNZ coming from an MSD IP address? Because he seems to be claiming to have special insight into this case that I can't imagine anyone bar MSD IT having.
KiwiNZ, you claim several things that simply do not ring true. For a start, that anything was being done to segment these kiosks from the corporate network. This cannot be true, because it's just not that hard. Stick the kiosks on a new VLAN. Connect that VLAN to the internet via a TMG server with multiple NICs (or Squid if that's your thing). Job done. They could do this in a day, so unless they'are actually thoroughly incompetent, there's no excuse. Not that incompetence is an excuse either of course.
You also claim to be fully aware of the seriousness of the situation, while also claiming that this is somehow a bad thing. This is just absolute madness - the fact that someone, for example an abusive parent, can go rifle through the CYFS case files to find out where a child has been placed in protective custody is not just "serious", it's actually a clear and present danger. The ONLY course of action acceptable in this case is to take them offline. The inconvenience to a few beneficiaries absolutely doesn't hold a candle to that.
You also make some pretty in-depth claims about MSD's access and auditing policy that unless you actually work for or with MSD you could not possibly know for certain.
And really, calling the CEO would be a waste of time. The CEO isn't going to know what you're talking about because it's not their job. The CIO likely wouldn't give you the time of day, and the lower level staff would be equally useless. And yes, I do work in government.