sb-nz logo
Story image

Passports, licenses of 300 leaked in Ministry for Culture and Heritage data breach

26 Aug 2019

The Ministry of Culture and Heritage has announced in a press conference that it’s responsible for the breach of the personally identifiable information of 300 individuals.

Ministry chief executive Bernadette Cavanagh says the personal documents were compromised following a “coding error”.

The data exposed include more than 370 documents belonging to people who had applied to be part of the Ministry’s Tuia 250 programme - part of the commemorations marking the 250th anniversary of the first onshore meetings between Maori and Europeans.

The documents leaked included 228 passports, 55 driver licenses, and 36 birth certificates – making the victims vulnerable to identity theft by cyber-criminals.

Cavanagh said in the press release that the information had been publicly available since June on a website created for the Tuia 250 event before the breach was discovered last Thursday.

The website was created by a company commissioned by the Ministry but was not a ministry website.

The company had not been involved with any other Government agencies.

The existence of the data came to light after a parent of one of the applicants reported a fraud attempt using one of the obtained driver licenses.

The matter was then referred to the police and Cavanagh has ordered an independent review to investigate how the breach occurred.

Cavanagh says the Ministry shut down after being alerted to the issue.

“I sincerely apologise to all those who have been affected by this breach.”

The breach comes on the back of Treasury’s inadequate security practices revealing sensitive Government Budget documents online recently.

It calls into question the Government’s ability to store citizens’ personally identifiable information securely in a time when organisations are increasingly being held accountable for keeping this information safe in transit and at rest.

The fact that another data breach has occurred so soon raises doubts about the data security procedures and staff awareness in the New Zealand Government.

CQR Consulting co-founder and chief technology officer Phil Kernick says, “The entirely avoidable breach clearly highlights two aspects.  First, you cannot outsource your accountability for keeping personal data secure. 

“Secondly,  it isn’t good risk management to use any company that isn’t independently certified to protect the data they hold.  A sincere apology doesn’t undo the damage.”

Ixonn Group director Gleuto Serafim says, “Sometimes data leakage may happen unintentionally, causing significant issues to everyone involved. Internal systems vulnerabilities could be a primary culprit. Some of these issues can be from legacy platform defencelessness and others just from being developed and delivered without being secured by design.

“Governments have struggled with the enormous pressure from transforming large manual paper base data sets into digital information. This rush has caused many fractures on data architecture access and processes.

"Governments must consider proper governance over data access. Dealing with privacy today ultimately demands a tremendous effort from the government, especially when dealing with third party organisations, which requires access to sensitive data.

WatchGuard Technologies A/NZ regional director Mark Sinclair says, “Avoiding 'coding errors' that lead to data breaches comes down to better scrutiny of outsourced solution providers.

“Good coding reviews and more complete acceptance testing will lead to the reduced probability of leaving a door wide open for malicious parties to exploit.

“Any business or government department that outsources their public-facing web portals needs to choose companies with great track records for producing secure web applications.”

Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
Secureworks: Remote working exposes new security vulnerabilities
New vulnerabilities have been exposed as IT teams across the world respond to the ongoing COVID-19 pandemic.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Lumen launches managed security services for APAC market
The new service is designed to provide enterprise businesses with a proactive, connected security strategy to enhance threat detection and protection across endpoints. More
Story image
Security and operations collaboration key to success post COVID-19
“We are in an ultra-hybrid world with multi-everything, and in order to successfully navigate this landscape, ITOps, DevOps, and SecOps teams need to more closely align."More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More