'Coding error' compromises passports, driver licences in Ministry of Culture and Heritage data breach

Manatū Taonga Ministry for Culture and Heritage chief executive Bernadette Cavanagh says more than 300 people who had applied to be part of the Tuia 250 sailings around the New Zealand coast have been affected by a digital privacy security breach.The mother of a teenager affected by a major Government digital privacy breach says she's alarmed at the ease with which her son's information was shared online. The Ministry for Culture and Heritage revealed on Sunday more than 300 people had had their personal documents compromised following a "coding error" on a ministry-commissioned website.
The 370-plus documents belonged to people who had applied to be part of the Tuia 250 sailings around the New Zealand coast – part of commemorations marking the 250th anniversary of the first onshore meetings between Māori and Europeans.

Leaked documents included 228 passports, 55 driver licences and 36 birth certificates, as well as other information such as secondary school IDs and residential visas.

READ MORE:
* Intimate medical data exposed
*Applicants exposed to data breach

Ministry chief executive Bernadette Cavanagh said at a press conference in Wellington on Sunday that the information had been publicly available since June on a website created for the Tuia 250 event, before the breach was discovered on Thursday.

It was realised only after a parent of one of the applicants reported a fraud attempt using one of the obtained driver licences. The incident was referred to police.

ROSS GIBLIN/STUFF

Ministry for Culture and Heritage chief executive Bernadette Cavanagh said more than 300 people had been affected by a digital privacy security breach.
Another parent, Liz McKay, said she received a call from a ministry official at 8pm on Saturday to say her 16-year-old son's privacy had been breached.

She was advised her son's passport details had been leaked, but was unable to obtain any further information.

"I have no idea if it was just passport details or medical and personal information [leaked], and who has it. I have concerns about identity theft."

McKay said it was unusual to receive a call from a Government agency on a Saturday night, and she was stunned she was only asked for her email address as proof of identity.

"I just thought Government processes were much better in terms of security, especially in this day and age."

Cavanagh said the mistake was the result of a coding error. She had ordered an independent review into what went wrong.

"It's very disappointing that we didn't know, and this was a mistake and I just apologise sincerely."

The website was created by a company commissioned by the ministry, but was not a ministry website, Cavanagh said.

She declined to name the company, but said it had not been involved with any other Government agencies.

Prime Minister Jacinda Ardern, who is also Minister for Arts, Culture and Heritage, said she had been made aware of the breach involving personal information provided to the ministry as part of the application process for trainee berths in the Tuia 250 Voyage programme. "This is very disappointing, and Manatū Taonga [the ministry] will be commissioning an external review to determine how this occurred."
MINISTRY FOR CULTURE AND HERITAGE

The event page on which the information was exposed was taken down on Friday.

National's Arts, Culture and Heritage spokesperson Nicky Wagner said Ardern must take responsibility and act decisively in the wake of the unacceptable data breach.

"It's not good enough that 302 people have had their private details exposed online by a so-called 'coding error'. The public expects better from security systems overseen by the Government, and rightly so."

The breach was "not a good look" following Treasury's leaking of Government Budget documents in May.

The ministry had spoken to more than 200 of the affected people by Sunday morning, with messages and emails left for the remainder.

Cavanagh said the leaked information was removed on Thursday, with the Tuia 250 event page taken down on Friday.



Similar Articles:

Former Equifax executive sent behind bars for insider trades, profiting on data breach

Former Equifax executive sent behind bars for insider trades, profiting on data breach

Facebook Succeeded In Killing Cybersecurity Like It Did Privacy

Facebook Succeeded In Killing Cybersecurity Like It Did Privacy

Clothing marketplace Poshmark confirms data breach

Clothing marketplace Poshmark confirms data breach

Cyber security issues in 2018: three most prominent data breaches

Cyber security issues in 2018: three most prominent data breaches