Serious data breach at Ministry

Acceptable forms of ID are a HANZ 18+ identification card, a valid passport, and a NZ...
Driver licence details were among those exposed during the digital security breach.
Private details of hundreds of young New Zealanders, including passports, birth certificates and drivers' licence details, were exposed on a Government website during a digital security breach.

The Ministry of Arts, Culture and Heritage (MCH) was alerted to the breach by a parent. It has apologised, saying the breach is "completely unacceptable".

The young people had supplied their details to the MCH as part of their applications to sail on the double-hulled canoe Fa'afaite, as part of the Tuia 250 commemorations marking 250 years since James Cook landed in New Zealand.

The breach could impact 302 people who applied for the programme and provided personal details as part of the process.

All those affected have been contacted, officials say.

At a press conference in Wellington today, MCH chief executive Bernadette Cavanagh and the Government's chief digital officer, Paul James are outlining the details of the breach.

The breach was discovered on Thursday and the website, a special one set up for the purpose, it was shut down on Friday.

Explaining in detail how the breach was detected, Cavanagh said someone had been fraudulently trying to buy a ticket, believed to be a concert ticket, online using the driver licence ID of one of the Tuia 250 applicants.

The vendor of the ticket thought something was not quite right so contacted the holder of the licence and confirmed that the holder was not the person trying to buy the ticket.

Cavanagh said she sincerely apologised to those impacted by the breach and said it was a "coding error".

"I would like to apologise to all the people affected by this breach," Cavanagh said.

"I acknowledge that this is completely unacceptable and am using every resource available to me to support them through this issue."

She said that while applicants for the trip was open to people aged 16 to 75, the majority of applicants were aged 16 to 20.

Cavanagh said security investigators didn't think it was a targeted attack on the website.

"But rather an opportunistic funding of information that wasn't as secure as it should have been."

The Ministry has undertaken specialist security investigations to identify the scope of the breach.

Of ID documents compromised, there were 228 New Zealand passports, 55 driver licences, 36 birth certificates, six school IDs, and five residential visas.

The MCH digital breach comes less than three months after failures of website security at the Treasury during which the National opposition party got parts of confidential Budget documents through a simple search.

The Fa'afaite is due to arrive in Gisborne in early October and then visit various centres around New Zealand.

Prime Minister Jacinda Ardern is the Culture and Heritage Minister.

Budget leak:

The incident comes three months after Treasury claimed its website was hacked, allowing the leak of confidential Budget information.

The National Party had released "top secret" details of the Budget, and Treasury said it had evidence that there had been "deliberate and systematic" hacking, with the website accessed more than 2000 times.

The matter was referred to police on the advice of the national cybersecurity unit in the Government Communications Security Bureau. However, it later emerged that National staffers had used a simple search function to get the information.

A subsequent investigation, launched by State Services Commissioner Peter Hughes, into whether former Treasury boss Gabriel Makhlouf misled the Government found he had acted in good faith, but that his actions were not reasonable and he should have taken more personal responsibility.

Makhlouf left the position in late June to take up a role as head of the Irish Central Bank.

A separate inquiry into how sensitive information on the Treasury's website wasn't secure is ongoing. That is looking at what happened, why it happened, the lessons learned, and the actions the Treasury needed to take to prevent it happening again.

Murray Jack is heading that inquiry. He is a professional director, Chair of Chartered Accountants Australia and New Zealand and a former member of the board of the Financial Markets Authority. He was previously chairman and chief executive of Deloitte NZ.

Comments

Online is not secure in NZ.

Insist on hard copy process of official documents.

As well, there could be a right to sue in this extreme breach.