Top Scoops

Contact

Scoop

Network

Scoop Top Scoops

Tuia 250 privacy breach: Tech boss signed off on government website with no testing

Monday, 2 March 2020, 11:54 am
Article: RNZ

A top tech boss at the Ministry of Culture and Heritage (MCH) reviewed the Tuia 250 website's security and declared it "fit for purpose" just two months before a major breach was uncovered, new correspondence shows.

The waka flotilla arrives in the bay as part of the Tuia 250. Photo: RNZ / Meriana Johnsen

The security lapse - discovered by a member of the public in August 2019 - compromised the privacy of roughly 300 young people who had uploaded sensitive material while applying to take part in commemorations.

The breach exposed copies of the applicants' passports, birth certificates and drivers' licences online, leaving them able to be found via a simple Google search.

Correspondence obtained by RNZ under the Official Information Act shows the website - which was set up by an external contractor - had been given the all-clear by MCH Chief Information Officer Kenny Townsley.

Emails show Townsley conducted a "security review" of the site in early June 2019 after concerns were raised within the Ministry.

As part of the assessment, he sought assurances from the contractor, but did not personally test that the site was secure.

In an email sent on 11 June, the contractor told the Ministry that the website's security was up to scratch, but admitted the personal data being collected was "not encrypted" while being stored on the server.

Advertisement - scroll to continue reading

Later that day, Townsley wrapped up his "review", concluding that the site was "fit for purpose from a security point of view" and all functions should be enabled.

"Information provided by the website vendor ... does verify that security has been considered as a core requirement and they have put in place security measures that would be deemed reasonable and appropriate," he emailed to senior management.

At no stage was the website directly tested by the Ministry to determine whether it was truly secure and appropriately configured.

Several days after the sign-off, MCH deputy chief executive Tamsin Evans received an internal email alerting her that the Tuia 250 website lacked "any of the usual legal protections or disclaimers found on government websites".

"We need to add this information urgently, especially in light of our online forms through which we are collecting sensitive personal information for our trainee applicants," the email said.

An independent review of the botch-up - released in December - concluded the breach was most likely caused by the contractor having incorrect security settings on files containing personal information.

The report stated, however, that the Ministry was ultimately accountable, highlighting its failure to properly test the website's security or carry out a privacy impact assessment.

"The issues with the security settings and the insecure storage of personal information could have been discovered and rectified if penetration testing of the website had been carried out before the application process went live," the report said.

In response to the report's findings, MCH chief executive Bernadette Cavanagh apologised and said she had taken "immediate action" to improve security systems.

The Ministry has since committed to making security testing mandatory on all technical systems holding personal information.

In a statement to RNZ, Cavanagh said she retained full confidence in Townsley.

"He made recommendations based on all the information he was provided at the time," she said.

Cavanagh reiterated that the Ministry took full responsibility for the breach, had carried out a thorough investigation and was focused on preventing a repeat occurrence.

RNZ

New Zealand's public broadcaster, providing comprehensive NZ news and current affairs, specialist audio features and documentaries.

Radio New Zealand is a Crown entity established under the Radio New Zealand Act 1995. Radio New Zealand News are vital elements in our programming, providing impartial news and information to New Zealanders every day. Radio New Zealand (RNZ) provides listeners with exciting and independent radio programmes in accordance with the Radio New Zealand Charter.

Contact RNZ

Website - www.radionz.co.nz
Twitter - @rnz_news
Facebook
Link - Contact RNZ

Top Scoops Headlines

COMMENT

Gordon Campbell: On When Racism Comes Disguised As Anti-racism

The meaning of the word “racism” is being deliberately blurred, for political reasons. Lets re-state the obvious: when people are chronically experiencing worse social outcomes and lower life expectancy due to the colour of their skin, that’s

Peter Dunne: Newshub And TVNZ Tip Of Media Iceberg

There has been a positive but restrained response to the deal announced between Stuff and Warner Brothers Discovery to “save” TV3’s six o’clock nightly news bulletin, currently screened under the Newshub label. According to Stuff, the deal will mean that around 40 of the jobs involved can also be saved.

Harry Finch: Austerity – For And Against

It’s a word that politicians love to hate and as much as the current government is telling us that the measures they are taking don’t amount to austerity, by definition, they do. And as other commentators have noted, New Zealand has elected a government of austerity, so let’s weigh up the pros and cons.

Gordon Campbell: On Winston Peters’ Pathetic Speech At The UN

Tens of thousands of Gazans have been slaughtered, two million are on the brink of starvation and what does our Foreign Minister choose to talk about at the UN? The 75 year old issue of whether the five permanent members should continue to have veto powers over Security Council decisions.

Binoy Kampmark: Flicker Of Hope, Biden’s Throwaway Lines On Assange

Walking stiffly, largely distracted, and struggling to focus on the bare essentials, US President Joe Biden was keeping company with his Japanese counterpart, Prime Minister Fumio Kishida, when asked the question. It concerned what he was doing regarding Australia’s request that the WikiLeaks founder Julian Assange be returned to Australia.

Media Matters NZ: Here We Go Again

The News Makers are in the News again and this time because of mass layoffs laid on for the delectation of the staff involved, mainly news and current affairs people, which has, its fair to say, given them a thoroughly justified bellyache.

Join Scoop Pro

Submit News

Become a Member

Community Scoop

More RSS News Alerts

Wellington Scoop