How it came to light: Coding error to blame for data breach

A coding error is to blame for a serious digital privacy breach impacting 302 people who applied for the Tuia 250 Voyage Trainee programme, according to minister in charge of Culture and Heritage, Bernadette Cavanagh.

Your playlist will load after this ad

The minister in charge, Bernadette Cavanagh faced media today to explain how it happened. Source: 1 NEWS

Manatū Taonga Ministry for Culture and Heritage is investigating the breach which was discovered on Thursday, August 22 after a parent of one of the applicants alerted the Ministry to a fraud attempt using a copy of a driver licence stored on the site.

Ms Cavanagh said it was not a Ministry for Culture and Heritage website but a site that was established by an external provider, specifically for the Tuia programme.

The current stage of the investigation shows that at least 370 documents have been compromised.

The matter has since been referred to police, who are progressing with the complaint.

Ms Cavanagh along with Paul James, Chief Digital Officer fronted media today to answer questions about how it happened.

Ms Cavanagh said a coding error was to blame and consequently the "right protections were not put in place".

"This was just an opportunistic and targeting and finding of information," she said.

Mr James confirmed the website had not been configured correctly.

Ms Cavanagh says the website involved did not have the same security measures as other government websites.

“That will be part of the review. And I guess that’s one of the issues, that’s where we had a breakdown. There as a mistake.”

The fraudulent act was discovered after a parent was alerted after the data thief tried to buy a ticket online.

"Somebody was trying to purchase a ticket online and they were asked for identity as part of that purchase.

"The identity that they sent through was the driver license of one of the Tuia applicants. When the seller received that they thought it didn’t quite match up and so they contacted the person who owned the drivers license and that’s how it came to light," Ms Cavanagh says.

All personal information was immediately removed from storage on the website following the incident. On Friday, August 23, the website was shut down and a security investigation was undertaken to identify those affected.

She says a digital forensic team has also been involved to ascertain who exactly has been affected, with all 302 victims telephoned and emailed yesterday by the Ministry.

Ms Cavanagh says new passports and driver licenses will be re-issued at no cost following the breach.

Jacinda Ardern says the breach is "disappointing".

"I have been made aware there has been a digital privacy breach involving personal information provided to Manatū Taonga Ministry for Culture and Heritage as part of the application process for trainee berths in the Tuia 250 Voyage programme."

"The breach – which happened as a result of an information management issue - means that identity documents, and other personal information, were able to be accessed via the Tuia 250 website."

"This is very disappointing, and Manatū Taonga will be commissioning an external review to determine how this occurred. It is too early for me to comment further," Ms Ardens says.