20 Sep 2019

PM faces more questions following privacy breach

4:03 pm on 20 September 2019

A review into the Ministry for Culture and Heritage will look into the relationship between a staffer and the external developer responsible for a massive data breach.

11 October 2018. Prime Minister Jacinda Ardern and Sport and Recreation Minister Grant Robertson have launched a new strategy that champions equaility for NZ women and girls in sport and active recreation.

Photo: RNZ / Dan Cook

Last month hundreds of young people had their sensitive details exposed online, including passports, birth certificates and drivers' licences.

About 300 people provided their information when applying to take part in the Tuia 250 commemorations.

The applications were uploaded to an external website that didn't have sufficient protections.

National Data and Cybersecurity spokesperson Shane Reti said new information about the extent of the breach shows the Prime Minister has more questions to answer.

In response to written questions, Māori Crown Relations Minister Kelvin Davis confirmed the site developer was "known" to at least one staffer at the Ministry.

"The Ministry has commissioned an independent review of decisions and processes relating to the procurement and management of the Tuia 250 website.

"The review will consider the nature and impact of any personal relationships on the breach," the response said.

Dr Reti said it's clear the developer wasn't up to the job and the public deserves to know if they were awarded the contract because of a personal relationship.

"Because that would then raise the question as to what other conflicts of interest might be apparent within the Ministry, have been apparent within the Ministry, and could also be compromising other processes, activities, and other data," he said.

Another response from Mr Davis confirms that there is no audit log of visitors to the site: "I am advised that the Tuia 250 website did not maintain a permanent audit log of all visitors and transactions. The server did have a record of visitor information, kept for a limited time-period. This will be considered as part of an independent review and no further comment can be made at this time."

Dr Reti said this is concerning.

"There's no way of knowing who's accessed that personal information or how many times it was accessed.

"Children's details were leaked on the internet and the Ministry doesn't even know who's seen them," he said.

Dr Reti also sought more clarification about the number of people affected by the breach.

Another seven individuals were identified as being affected in a secondary audit, taking the total to 309, 71 of which were aged between 14 and 17.

In a written response, Mr Davis said there were also 94 people affected in a "secondary manner".

"The majority of these were applicants' parents whose details were listed on their birth certificates. The Ministry continues to work with all relevant agencies, including the police, to ensure the replacement of documentation, where appropriate, and the safety of anyone whose privacy was breached," the response said.

Prime Minister Jacinda Ardern said the Ministry has a responsibility to ensure this wrong is corrected and that people are supported.

"From the beginning [we were] very mindful of the fact that we had a portion of people who were affected by the breach who were young people.

"The offer has been directly made to replace I.D documents...equally police were sought for advice and support for those affected.

"Every offer of assistance has been made and that contact will be ongoing as the Ministry for Culture and Heritage work through any wider impacts," she said.

But Ms Ardern said there is also a much wider message here.

"We cannot be complacent about peoples' private data and information online. We're making moves as government to ensure there is a much higher expectation about protecting peoples' information, that's a culture change we need in New Zealand," Ms Ardern said.