Manatū Taonga Ministry for Culture and Heritage is investigating a serious digital privacy breach impacting 302 people who applied for the Tuia 250 Voyage Trainee programme.
The programme, which celebrates New Zealand's Pacific voyaging heritage, gives New Zealanders the opportunity to sail aboard the vessels in the Tuia 250 Voyage from October through to December of this year.
The breach could impact people who provided personal details as part of the programme's application process, including images of passports, driver licences, birth certificates and other forms of identification stored on the website. The current stage of the investigation shows that at least 370 documents have been compromised.
The Ministry has undertaken specialist security investigations to identify the scope of the breach.
"I would like to apologise to all people affected by this breach," Ministry Tumu Whakarae chief executive Bernadette Cavanagh said in a statement. "I acknowledge that this is completely unacceptable and am using every resource available to me to support them through this issue."
Ms Cavanagh said the breach "has revealed a serious information management issue on an external site commissioned for the Tuia Encounters 250 national commemoration, of which the Tuia 250 Voyage Trainee programme is a part."
Security investigators advised Ms Cavanagh that the breach "wasn't a targeted attack on the website, but rather an opportunistic finding of information that wasn't as secure as it should have been".
The issue was identified on Thursday, August 22, after a parent of one of the applicants alerted the Ministry to a fraud attempt using a copy of a driver licence stored on the site. The matter has since been referred to police, who are progressing with the complaint.
All personal information was immediately removed from storage on the website following the incident. On Friday, August 23, the website was shut down and a security investigation was undertaken to identify those affected. The people impacted were notified of the breach on Saturday, August 24.
"We have let down applicants. They trusted us with their sensitive information and documents and we recognise that for many people their personal information is taonga. The level of security required to keep that information confidential simply wasn't good enough," she said.
Ms Cavanagh has asked for an external review to "see what went wrong" and to ensure that the Ministry's process for gathering and storing information is robust, she said.
"I would like to sincerely apologise to those impacted by this situation. My number one focus is ensuring that affected people have the level of support they need."
"We are currently working with Google and other search engines to remove any cached versions of this information. This is a process that could take some time to resolve, but we are committed to doing everything we can to have this information removed."
A cross-government response team has since been established to support the people affected, including the replacement of passports and driver's licences as needed, as well as providing a freephone call centre and dedicated email address.
"We have contacted all the people affected and are working with them on a case-by-case basis to minimise the impact of the breach and ensure they have access to the support and services they need."
The breach comes three months after Treasury was hit with a major data leak, revealing confidential budget information.
What information has been affected?
- 302 people are affected. They are people who registered for Tuia 250 trainee’s programme
- 373 separate ID documents have been compromised
- Passports/Drivers Licences/Birth Certificates and other forms of identification
- 228 NZ passports (209 NZ, 19 international (Australia, Brazil, China, US, Canada, South Africa, UK, Denmark)
- 55 driver licences
- 36 birth certificates
- 6 secondary School IDs
- 5 NZ residential visas