cfo-nz logo
Story image

Passports, licenses of 300 leaked in Ministry for Culture and Heritage data breach

26 Aug 2019

The Ministry of Culture and Heritage has announced in a press conference that it’s responsible for the breach of the personally identifiable information of 300 individuals.

Ministry chief executive Bernadette Cavanagh says the personal documents were compromised following a “coding error”.

The data exposed include more than 370 documents belonging to people who had applied to be part of the Ministry’s Tuia 250 programme - part of the commemorations marking the 250th anniversary of the first onshore meetings between Maori and Europeans.

The documents leaked included 228 passports, 55 driver licenses, and 36 birth certificates – making the victims vulnerable to identity theft by cyber-criminals.

Cavanagh said in the press release that the information had been publicly available since June on a website created for the Tuia 250 event before the breach was discovered last Thursday.

The website was created by a company commissioned by the Ministry but was not a ministry website.

The company had not been involved with any other Government agencies.

The existence of the data came to light after a parent of one of the applicants reported a fraud attempt using one of the obtained driver licenses.

The matter was then referred to the police and Cavanagh has ordered an independent review to investigate how the breach occurred.

Cavanagh says the Ministry shut down after being alerted to the issue.

“I sincerely apologise to all those who have been affected by this breach.”

The breach comes on the back of Treasury’s inadequate security practices revealing sensitive Government Budget documents online recently.

It calls into question the Government’s ability to store citizens’ personally identifiable information securely in a time when organisations are increasingly being held accountable for keeping this information safe in transit and at rest.

The fact that another data breach has occurred so soon raises doubts about the data security procedures and staff awareness in the New Zealand Government.

CQR Consulting co-founder and chief technology officer Phil Kernick says, “The entirely avoidable breach clearly highlights two aspects.  First, you cannot outsource your accountability for keeping personal data secure. 

“Secondly,  it isn’t good risk management to use any company that isn’t independently certified to protect the data they hold.  A sincere apology doesn’t undo the damage.”

Ixonn Group director Gleuto Serafim says, “Sometimes data leakage may happen unintentionally, causing significant issues to everyone involved. Internal systems vulnerabilities could be a primary culprit. Some of these issues can be from legacy platform defencelessness and others just from being developed and delivered without being secured by design.

“Governments have struggled with the enormous pressure from transforming large manual paper base data sets into digital information. This rush has caused many fractures on data architecture access and processes.

"Governments must consider proper governance over data access. Dealing with privacy today ultimately demands a tremendous effort from the government, especially when dealing with third party organisations, which requires access to sensitive data.

WatchGuard Technologies A/NZ regional director Mark Sinclair says, “Avoiding 'coding errors' that lead to data breaches comes down to better scrutiny of outsourced solution providers.

“Good coding reviews and more complete acceptance testing will lead to the reduced probability of leaving a door wide open for malicious parties to exploit.

“Any business or government department that outsources their public-facing web portals needs to choose companies with great track records for producing secure web applications.”

Story image
Will COVID-19 break New Zealand's cash habit?
Despite the majority of local businesses that remain open during the current COVID-19 lockdown introducing card-only transactions, the majority of New Zealanders still carry cashMore
Story image
Govt widens 'essential products' to include tech goods
New Zealand businesses are now able to sell ‘essential’ non-food consumer products such as computer equipment and mobile phones, while the country remains at Alert Level 4 lockdown.More
Story image
New investor partnership to unlock $6bn for NZ business
"We see this as a prime opportunity to fill the gap for established companies who need a broader range of funding options, especially when looking to expand their burgeoning businesses."More
Story image
Techday introduces RemoteWorkerTech Asia site
This is a new site dedicated to covering the latest technology, expert opinions and trends around remote working.More
Story image
Epicor announces appointment of new CMO
Paul Stoddart has been appointed chief marketing officer, a role in which he will be responsible for overseeing Epicor’s global marketing strategy, including corporate marketing, field marketing, and teleprospecting.More
Story image
Axios Systems bolsters University of Canterbury's IT service management
“The Axios Systems team had clearly addressed the requirements set out in our RFP Documentation. Not only did they answer the question of assyst’s capability, but also commented on how we could expand the use of the same functionality in the future phases of our implementation."More