9 Sep 2019

Data breach after lax NZTA security

10:30 am on 9 September 2019

The investigation and subsequent reports were completed by Deloitte under a process that was subsequently found to be inadequate and as a consequence NZTA no longer stands by the findings of those reports — which have been removed from NZTA’s website.  NZTA has also apologised to the manager who was the subject of the reports.

The New Zealand Transport Agency (NZTA) has admitted to a technology botch up leaving what was meant to be a highly secure data key wide open.

no caption

Photo: 123RF

"The transport agency can confirm the Google API was incorrectly left open as part of the Traffic Watcher pre-production set up," NZTA said in statement.

The key is a unique code used to access data from Google's application programming interface (API), in this case through 2018 and in early 2019. It was used to build Traffic Watcher, an online tool for transport operations centres, maintenance contractors and the police.

Sources familiar with the system said when Traffic Watcher was soft-launched in early 2019 this unique key was hardcoded into it, so those with simple IT skills could view and copy it. Equipped with that key, it was possible to access other API data with billing passed to NZTA.

NZTA denied the bungle cost taxpayers but admitted it did not keep track of such expenses.

It is now in talks with Google about a possible data breach.

Traffic Watcher was accessed 600 times in March and July this year but almost 3000 times in May.

NZTA has not confirmed if the May surge was due to the insecure key, did not say when it finally secured the key, nor has it provided the earlier site usage figures.

However, it has confirmed to RNZ that it corresponded with Google about a breach or possible breach of data storage.

Google declined to comment.

RNZ's OIA request for details was immediately rejected by NZTA on commercially sensitivity grounds.

"There was one known attempt by a contractor to use this API, which Google shut down as part of their management and security processes, and so stopped access," NZTA said in a statement.

However, Traffic Watcher was developed by an NZTA business unit, which a recent independent review found "was given an extraordinary degree of freedom" that was abused in multiple ways.

Ninety percent of the unit's 100 or so staff were short-term contractors who were allowed to use personal computers and personal emails to do work, and misused NZTA domain names.

"Shadow technology, inconsistent identity and access management processes, and a lack of technical and architectural input have led to vulnerabilities in security and resilience," the review said.

There is industry speculation that misuse of the API key was widespread, that contractors took the key's details with them when they left, and that the bill being sheeted back to NZTA was high.

The agency denies this: "At no time has NZTA faced increased costs over its licenced amounts for access through Traffic Watcher, nor has the agency incurred any additional costs as a result."

But a separate OIA response from NZTA shows:

  • It did not keep track of Traffic Watcher data costs.
  • It did not keep track of the cost of research and development on Traffic Watcher from February to December 2018.
  • It could not disclose these costs because they were not individually accounted for, it said.

Traffic Watcher's development costs this year to June were $375,000.

The independent review in July does not mention the API problem.

But it said financial governance at an NZTA business unit was lax so funds were not clearly accounted for. There was an inability to accurately identify expenditure.

"A lack of oversight undermined [the unit's] ability to deliver and operate quality products," it said.

NZTA's contracts with Google contributed to a 75 percent leap in its software licensing fees last year, up from $4m to $7m. Its data access and storage fees are not recorded.

NZTA would not provide details. It cited commercially sensitivity for refusing RNZ's OIA request to disclose:

  • What its three Google contracts are worth.
  • The operating costs for the Google data or cloud contracts.
  • What it has paid for data services in total since 2013.

The Google contracts do not appear among the hundreds of NZTA contracts that have been made public.

Google got the contracts directly and there was no public tender. NZTA said it followed its procurement rules.

Transport Minister Phil Twyford's office said he was made aware of the Traffic Watcher app, and the costs and problems at the NZTA business unit, as part of the July review.

The business unit circumvented many public sector controls, with the knowledge of former NZTA chief executive Fergus Gammie, the review found.

It was shut down earlier this year after Mr Gammie and unit director resigned.

  • NZTA CEO resigns amid pressure over faulty warrant checks
  • Ex-NZTA boss faulted over innovation unit's 'extensive disregard' for processes
  • Transport Agency chairman Michael Stiassny announces resignation
  • NZTA reopens investigation into awarding of contract