SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Passports, licenses of 300 leaked in Ministry for Culture and Heritage data breach
Mon, 26th Aug 2019
FYI, this story is more than a year old

The Ministry of Culture and Heritage has announced in a press conference that it's responsible for the breach of the personally identifiable information of 300 individuals.

Ministry chief executive Bernadette Cavanagh says the personal documents were compromised following a “coding error”.

The data exposed include more than 370 documents belonging to people who had applied to be part of the Ministry's Tuia 250 programme - part of the commemorations marking the 250th anniversary of the first onshore meetings between Maori and Europeans.

The documents leaked included 228 passports, 55 driver licenses, and 36 birth certificates – making the victims vulnerable to identity theft by cyber-criminals.

Cavanagh said in the press release that the information had been publicly available since June on a website created for the Tuia 250 event before the breach was discovered last Thursday.

The website was created by a company commissioned by the Ministry but was not a ministry website.

The company had not been involved with any other Government agencies.

The existence of the data came to light after a parent of one of the applicants reported a fraud attempt using one of the obtained driver licenses.

The matter was then referred to the police and Cavanagh has ordered an independent review to investigate how the breach occurred.

Cavanagh says the Ministry shut down after being alerted to the issue.

“I sincerely apologise to all those who have been affected by this breach.

The breach comes on the back of Treasury's inadequate security practices revealing sensitive Government Budget documents online recently.

It calls into question the Government's ability to store citizens' personally identifiable information securely in a time when organisations are increasingly being held accountable for keeping this information safe in transit and at rest.

The fact that another data breach has occurred so soon raises doubts about the data security procedures and staff awareness in the New Zealand Government.

CQR Consulting co-founder and chief technology officer Phil Kernick says, “The entirely avoidable breach clearly highlights two aspects.  First, you cannot outsource your accountability for keeping personal data secure.

“Secondly,  it isn't good risk management to use any company that isn't independently certified to protect the data they hold.  A sincere apology doesn't undo the damage.

Ixonn Group director Gleuto Serafim says, “Sometimes data leakage may happen unintentionally, causing significant issues to everyone involved. Internal systems vulnerabilities could be a primary culprit. Some of these issues can be from legacy platform defencelessness and others just from being developed and delivered without being secured by design.

“Governments have struggled with the enormous pressure from transforming large manual paper base data sets into digital information. This rush has caused many fractures on data architecture access and processes.

"Governments must consider proper governance over data access. Dealing with privacy today ultimately demands a tremendous effort from the government, especially when dealing with third party organisations, which requires access to sensitive data.

WatchGuard Technologies ANZ regional director Mark Sinclair says, “Avoiding 'coding errors' that lead to data breaches comes down to better scrutiny of outsourced solution providers.

“Good coding reviews and more complete acceptance testing will lead to the reduced probability of leaving a door wide open for malicious parties to exploit.

“Any business or government department that outsources their public-facing web portals needs to choose companies with great track records for producing secure web applications.