Ministry for Culture and Heritage privacy breach: 'Somebody has to be held to account'

9:13 am on 26 August 2019

One of the victims of a serious privacy breach has hit out at the ministry responsible, saying he feels it is more concerned with protecting itself than him.

Culture and Heritage Ministry chief executive Bernadette Cavanagh

Culture and Heritage Ministry chief executive Bernadette Cavanagh said her "number one focus" was providing support to those affected. Photo: RNZ / Charlotte Cook

The Ministry for Culture and Heritage yesterday revealed it had mistakenly exposed the sensitive details of about 300 mostly young people online.

Life coach Anaru Barton told RNZ that ministry staffers had alerted him over the weekend that some of his information had been compromised.

"They said the breach wasn't a problem, really, it was just a third party using information."

Mr Barton said it sounded like the ministry was trying to downplay the mistake and was looking after the organisation "more so than looking after me".

"Breaches of privacy are obviously quite serious.

"This is the government we're talking about. They should know the laws more than anybody about privacy and making sure information is secure."

He said it was "unsettling" to think that copies of his birth certificate and driver's licence could be in the hands of fraudsters.

"I don't know how many people, or who, or where my information has gone," Mr Barton said.

"My trust levels for giving anything to the government now are pretty low.

"Somebody has to be held to account for this."

The ministry had not advised him what steps he could take to protect himself, he said.

"Basically, all they've asked me to do is respond to an email ... and give them consent to work on my behalf."

On Monday, the ministry's chief executive Bernadette Cavanagh told Morning Report: "I have asked for an independent review to thoroughly look at what happened and make sure this does not happen again and can I also just say how sorry I am to the individuals that are affected, this is completely unacceptable and we are doing everything we can to help them through it...

"We have been in touch with Google and some of the other big search engines and have asking them to remove cached images wherever possible and we will keep doing that work with other partners across government to try to get those images offline."

But it was still possible that the information could be accessed online.

She said all of the ministry's websites were being checked for security.

Technology commentator Paul Spain told Morning Report the website used was a basic Word Press model.

"I think it does come down to poor practice and not really considering what sort of data that they were storing and what's an appropriate place to store it.

"I know there have been suggestions from the head of the Ministry of Culture and Heritage that this is a coding error, that doesn't really sit right with me ... this appears just to be a standard Word Press website, a lot of organisations use this type of website, but it's not the sort of place you should be storing very confidential information such as people's passports and personal identification."

He said while most of the information was gone from the internet, the question was who had accessed it while it was online.

"This could be a problem for them for months if not years to come because others are now able to impersonate them and they could do all sorts of things when they [can] pretend to be someone else."

Mr Spain said the issue couldn't be put right.

"The cat's out of the bag now, it's a lesson to be learned, and not just by government ... this is a challenge right across the country ... everybody wants to see a copy of your personal identification and in many cases there are not good robust processes for how that information is stored."

Privacy Commissioner John Edwards said the breach had the potential to undermine confidence in people's interactions with the government.

It was hard to know how far the information had been shared, he said.

Privacy Commissioner John Edwards

John Edwards. Photo: Supplied / Office of the Privacy Commissioner

Whether people were in any kind of danger depended on the type of documents uploaded and how fast people could get replacement documents, he said.

Identity theft was one of the risks, but so was fraud and personal security in some circumstances.

"I understand that this was a third party provider who had been commissioned to provide this functionality so one thing that I think is quite important is that this does not necessarily indicate a lack of security across all government platforms, which I think generally is of a very high level."

Ms Cavanagh said the third party provider hadn't been involved in any other websites.

Replacing documents

On Sunday, Ms Cavanagh said her "number one focus" was providing support to those affected.

"We're taking whatever measures we possibly can, whether that be giving them new documents, new passports, new drivers' licences.

"And also trying to provide support and advice ... that they might be able to take to be a bit more sensitive and cautious now that their information has been unfortunately published."

All those affected had been offered replacement documents free of charge, Ms Cavanagh said.

Those included passports and drivers' licences.

The ministry had also created a "one stop shop" webpage with information for those affected.

Ms Cavanagh told Morning Report many of its questions for her would be answered by the review into the breach.

No confidence

National MP Nicky Wagner told RNZ the error appeared to be "a mixture of carelessness and naivety"

She said the public's faith in the government's ability to keep information safe would be disappearing fast.

"I have no confidence and I can't expect the public to have confidence. This is appalling."

The government's chief digital officer, Paul James, acknowledged the error would dent public trust.

"Every day, government holds, protects, transacts millions and millions and millions of pieces of personal information and does so safely and securely.

"However, when we don't get it right, it clearly has an impact on trust and confidence."

Mr James said he would write to all public chief executives to remind them of the required standards and to confirm they were complying.