[BreachExchange] NZ Transport Agency admits data breach after lax security

Destry Winant destry at riskbasedsecurity.com
Tue Sep 10 09:59:18 EDT 2019


The New Zealand Transport Agency has admitted to a technology botch up
leaving what was meant to be a highly secure data key wide open.

"The Transport Agency can confirm the Google API was incorrectly left
open as part of the Traffic Watcher pre-production set up," NZTA said
in statement.

The key is a unique code used to access data from Google's application
programming interface (API), in this case through 2018 and in early
2019. It was used to build Traffic Watcher, an online tool for
transport operations centres, maintenance contractors and the police.

Sources familiar with the system said when Traffic Watcher was
soft-launched in early 2019 this unique key was hardcoded into it, so
those with simple IT skills could view and copy it. Equipped with that
key, it was possible to access other API data with billing passed to

NZTA denied the bungle cost taxpayers but admitted it did not keep
track of such expenses.

It is now in talks with Google about a possible data breach.

Traffic Watcher was accessed 600 times in March and July this year but
almost 3000 times in May.

NZTA has not confirmed if the May surge was due to the insecure key,
did not say when it finally secured the key, nor has it provided the
earlier site usage figures.

However, it has confirmed to RNZ that it corresponded with Google
about a breach or possible breach of data storage.

Google declined to comment.

RNZ's OIA request for details was immediately rejected by NZTA on
commercially sensitivity grounds.

"There was one known attempt by a contractor to use this API, which
Google shut down as part of their management and security processes,
and so stopped access," NZTA said in a statement.

However, Traffic Watcher was developed by the Connected Journey
Solutions unit, which a recent independent review found "was given an
extraordinary degree of freedom" that was abused in multiple ways.

Ninety per cent of the unit's 100 or so staff were short-term
contractors who were allowed to use personal computers and personal
emails to do work, and misused NZTA domain names.

"Shadow technology, inconsistent identity and access management
processes, and a lack of technical and architectural input have led to
vulnerabilities in security and resilience," the review said.

There is industry speculation that misuse of the API key was
widespread, that contractors took the key's details with them when
they left, and that the bill being sheeted back to NZTA was high.

The agency denies this: "At no time has NZTA faced increased costs
over its licenced amounts for access through Traffic Watcher, nor has
the agency incurred any additional costs as a result."

But a separate OIA response from NZTA shows:

• It did not keep track of Traffic Watcher data costs.
• It did not keep track of the cost of research and development on
Traffic Watcher from February to December 2018.
• It could not disclose these costs because they were not individually
accounted for, it said.
• Traffic Watcher's development costs this year to June were $375,000.

The independent review in July does not mention the API problem.

But it said financial governance at Connected Journeys was lax so
funds were not clearly accounted for. There was an inability to
accurately identify expenditure.

"A lack of oversight undermined [the unit's] ability to deliver and
operate quality products," it said.

NZTA's contracts with Google contributed to a 75 per cent leap in its
software licensing fees last year, up from $4m to $7m. Its data access
and storage fees are not recorded.

NZTA would not provide details. It cited commercially sensitivity for
refusing RNZ's OIA request to disclose:

• What its three Google contracts are worth.
• The operating costs for the Google data or cloud contracts.
• What it has paid for data services in total since 2013.
• The Google contracts do not appear among the hundreds of NZTA
contracts that have been made public.

Google got the contracts directly and there was no public tender. NZTA
said it followed its procurement rules.

Transport Minister Phil Twyford's office said he was made aware of the
Traffic Watcher app, and the costs and problems at Connected Journeys,
as part of the July review.

Connected Journeys circumvented many public sector controls, with the
knowledge of former NZTA chief executive Fergus Gammie, the review

It was shut down earlier this year after Gammie and unit director
Martin McMullan resigned.

More information about the BreachExchange mailing list