4 Feb 2016

Not the RealMe: 'Secure' id service in security breach claim

9:19 am on 4 February 2016

A user of the government's RealMe identity verification system got sent somebody else's personal details, despite assurances it was a secure way for Kiwis to access online services.

no caption

Photo: 123RF

RealMe was set up in the wake of a string of privacy breaches, and allows New Zealanders to store and access personal information. It can be used on multiple government service websites.

The system, which now has 2.3 million accounts and more than 100,000 verified identities won the Security & Online Safety category at the 2014 Australia and New Zealand Internet Awards.

However, one user contacted Morning Report today after he ended up with someone else's information when he used the RealMe service to access his Work and Income account.

The man - who wished to be known only as Tom - told RNZ he had used the service before with no problems.

When logging in, RealMe users are sent a six digit code in a text message, but when Tom entered the numbers, somebody else's details came up.

He said he had access to personal details such as the other user's phone number and email address, and had the ability to go in and change the details.

Tom said he had been unable to access his own account.

"So my concern is that somebody has access to my details.

"You can access a lot of different government websites and services using this detail and it was touted as the security barrier that we needed. If, for instance, this was the case with a bank, it would be a huge problem, but this is worse, because it's our personal details."

He said after years of dealing with government departments, he was not shocked that the system had failed

"I just thought, oh, here we go again."

RNZ is seeking a response from Internal Affairs, which runs the service.