Top Scoops

Book Reviews | Gordon Campbell | Scoop News | Wellington Scoop | Community Scoop | Search


Tuia 250 privacy breach: Tech boss signed off on government website with no testing

A top tech boss at the Ministry of Culture and Heritage (MCH) reviewed the Tuia 250 website's security and declared it "fit for purpose" just two months before a major breach was uncovered, new correspondence shows.

The waka flotilla arrives in the bay as part of the Tuia 250. Photo: RNZ / Meriana Johnsen

The security lapse - discovered by a member of the public in August 2019 - compromised the privacy of roughly 300 young people who had uploaded sensitive material while applying to take part in commemorations.

The breach exposed copies of the applicants' passports, birth certificates and drivers' licences online, leaving them able to be found via a simple Google search.

Correspondence obtained by RNZ under the Official Information Act shows the website - which was set up by an external contractor - had been given the all-clear by MCH Chief Information Officer Kenny Townsley.

Emails show Townsley conducted a "security review" of the site in early June 2019 after concerns were raised within the Ministry.

As part of the assessment, he sought assurances from the contractor, but did not personally test that the site was secure.

In an email sent on 11 June, the contractor told the Ministry that the website's security was up to scratch, but admitted the personal data being collected was "not encrypted" while being stored on the server.

Later that day, Townsley wrapped up his "review", concluding that the site was "fit for purpose from a security point of view" and all functions should be enabled.

"Information provided by the website vendor ... does verify that security has been considered as a core requirement and they have put in place security measures that would be deemed reasonable and appropriate," he emailed to senior management.

At no stage was the website directly tested by the Ministry to determine whether it was truly secure and appropriately configured.

Several days after the sign-off, MCH deputy chief executive Tamsin Evans received an internal email alerting her that the Tuia 250 website lacked "any of the usual legal protections or disclaimers found on government websites".

"We need to add this information urgently, especially in light of our online forms through which we are collecting sensitive personal information for our trainee applicants," the email said.

An independent review of the botch-up - released in December - concluded the breach was most likely caused by the contractor having incorrect security settings on files containing personal information.

The report stated, however, that the Ministry was ultimately accountable, highlighting its failure to properly test the website's security or carry out a privacy impact assessment.

"The issues with the security settings and the insecure storage of personal information could have been discovered and rectified if penetration testing of the website had been carried out before the application process went live," the report said.

In response to the report's findings, MCH chief executive Bernadette Cavanagh apologised and said she had taken "immediate action" to improve security systems.

The Ministry has since committed to making security testing mandatory on all technical systems holding personal information.

In a statement to RNZ, Cavanagh said she retained full confidence in Townsley.

"He made recommendations based on all the information he was provided at the time," she said.

Cavanagh reiterated that the Ministry took full responsibility for the breach, had carried out a thorough investigation and was focused on preventing a repeat occurrence.

© Scoop Media

Top Scoops Headlines


Gordon Campbell: On The Use Of Existing Drugs To Reduce The Effects Of Coronavirus

So now, we’re all getting up to speed with the travel bans, the rigorous handwashing and drying, the social distancing, and the avoidance of public transport wherever possible. Right. At a wider level…so far, the public health system has ... More>>

Gordon Campbell: On Oil Market And Regulation Crusades

Safe to say, Vladimir Putin did not expect the response he has received amidships from the Crown Prince of Saudi Arabia. Earlier, Russia chose to walk away from the OPEC talks in Vienna that were aimed at reaching an agreement on how to reduce world oil production (and protect oil prices) in the light of the fall in demand being caused by the coronavirus. No doubt, Russia and its allies in the US shale industry probably glimpsed an opportunity to undercut OPEC and seize some of its customers. Bad move. In reply, Saudi Arabia has smashed the oil market by hugely ramping up production, signing up customers and drastically cutting the oil price in a fashion designed to knock Russia and other oil suppliers right out of contention. More>>

Gordon Campbell: On 22 Short Takes About Super Tuesday

With obvious apologies to the Simpsons….Here’s my 22 short takes on the 14 Super Tuesday primaries that combined yesterday to produce a common narrative –Bernie Sanders NOT running away with the nomination, Joe Biden coming back from the dead, and the really, really rich guy proving to be really, really bad at politics. In the months ahead, it will be fascinating to see if the real Joe Biden can live up to the idea of Joe Biden that people voted for yesterday – namely, the wise old guy who can save the country from the political extremism of the right and the left... More>>

Binoy Kampmark: Strong Man Legacies: Burying Mubarak

Reviled strongmen of one era are often the celebrated ones of others. Citizens otherwise tormented find that replacements are poor, in some cases even crueller, than the original artefact. Such strongmen also serve as ideal alibis for rehabilitation ... More>>

Caitlin Johnstone: Humanity Is Making A Very Important Choice When It Comes To Assange

The propagandists have all gone dead silent on the WikiLeaks founder they previously were smearing with relentless viciousness, because they no longer have an argument. The facts are all in, and yes, it turns out the US government is certainly and undeniably working to exploit legal loopholes to imprison a journalist for exposing its war crimes. That is happening, and there is no justifying it... More>>

Gail Duncan: Reframing Welfare Report

Michael Joseph Savage, the architect of the 1938 Social Security Act, wouldn’t recognise today’s Social Security Act as having anything to do with the kind, cooperative, caring society he envisioned 80 years ago. Instead society in 2020 has been reduced ... More>>

Gordon Campbell: On The Addiction To Chinese Student Fees

Last week, Australian PM Scott Morrison extended its ban on foreign visitors from or passing through from mainland China – including Chinese students - for a third week. New Zealand has dutifully followed suit, with our travel ban ... More>>


  • PublicAddress
  • Pundit
  • Kiwiblog