[BreachExchange] Serious privacy breach at Ministry for Culture and Heritage

Destry Winant destry at riskbasedsecurity.com
Tue Aug 27 10:13:38 EDT 2019


Hundreds of young people have had their sensitive details exposed
online - including passports, birth certificates and drivers' licences
- due to a security breach on a government website.

In a media conference in Wellington this morning, Ministry for Culture
and Heritage chief executive Bernadette Cavanagh apologised for the
"completely unacceptable" error and launched an independent review
into what went wrong.

Roughly 300 people - most aged between 16 and 20 - had provided the
information to the ministry as part of their applications to take part
in Tuia 250 commemorations marking 250 years since the James Cook

Ms Cavanagh said their details were uploaded to an external website
without sufficient protections and could have been found through a
simple Google search.

"Frankly, it was a mistake, it was a coding error, the right
protections weren't put in place," she said.

"I'm just so sorry this happened."

Ms Cavanagh said she was ultimately responsible for the breach, but
confirmed she had not offered her resignation. She said it was too
early to say whether anyone would lose their job.

"I have asked for an external review to see what went wrong in this
case and to ensure that the ministry's processes around gathering and
storing information is robust."

The ministry was alerted to the breach on Thursday by the parent of an
applicant who had discovered their drivers' licence had been used
fraudulently to try and purchase concert tickets online.

Government ministers were immediately notified and all information was
removed from the site by that evening. The website was shut down
completely on Friday.

Personal identification documents that have been compromised include:

228 passports (209 NZ, 19 international - Australia, Brazil, China,
US, Canada, South Africa, UK, and Denmark)
55 driver licences
36 birth certificates
6 secondary school IDs
5 NZ residential visas

Ms Cavanagh said some cached copies of the material could still be
found online, but the ministry had approached Google and other search
engines to request it be taken down.

All applicants had been contacted and offered replacement documents at
no cost, she said.

Situation 'alarming', parent says

Since the Tuia 250 website has been shut down its Facebook page has
been busy with people asking if their data had been breached and what
the next steps would be.

One Facebook user commented: "I've been contacted about my personal
information being shared with a third party? Could someone please
explain this to me."

A helpline with the number 0800 624 669 and website has been set up to
support people who are impacted by the breach.

A helpline operator said they had not been very busy.

The mother of an applicant - who did not want to be named - told RNZ
the whole situation was "alarming".

"Even the phone call and the email we got about it seemed dodgy. It
was hard to tell if it was genuine," she said.

She said the error was heightened by the majority of the applicants
being young Māori and Pasifika people.

"Unfortunately, it looks like a present day example of a colonialist
institution once again being neglectful of the taonga of Te Ao Māori,
in this case, their identity.

"It is a huge fail, sadly," she said.

Speaking at the media conference, government chief digital officer
Paul James said he would write to all public chief executives to
remind them of the standards and policies and to confirm they were

He said it appeared the Tuia 250 website had not been configured
according to the required security standards.

"It's a really significant breach and it's definitely regrettable."

Ms Cavanagh confirmed the ministry had commissioned an outside company
- which she would not name - to develop the website. She said the
company had not been used for any other website.

Prime Minister Jacinda Ardern is responsible for the Ministry for
Culture and Heritage, also known as Manatū Taonga.

A spokesperson for Ms Ardern declined a request for an interview, but
issued a statement confirming she'd been alerted to the breach.

"This is very disappointing, and Manatū Taonga will be commissioning
an external review to determine how this occurred," she said.

"It is too early for me to comment further."

The National Party is demanding the government act quickly to fix
whatever problems exist in its cyber security after the breach.

National's Nicky Wagner said the scope of the breach was astonishing.

"It sounds like a mixture of carelessness and naivety to me, this is
serious, this is a very large number of young people's information and
it's not just their names for example, it's details of passports,
driver's licences - I can't believe this has happened."

Ms Wagner said the Prime Minister must ask some tough questions of her
officials to fix what went wrong.

The privacy breach comes just months after Treasury said its website
had been subject to "deliberate and systematic" hacking. It was later
revealed the National Party had accessed sensitive Budget information
using the website's search function.

More information about the BreachExchange mailing list