Nicole Gaston's dream of buying a house took a hit in January 2020.
She applied for a home loan, only for her bank to turn her down - citing her bad credit record.
The Wellington librarian and keen amateur potter, who has a doctorate in information studies, thought there must be some mistake.
Her credit record was spotless.
Or so she thought.
Her bank said she in fact has more than $20,000 in bad debt associated with her name - something a major credit agency confirmed.
Her 227 or "poor" credit rating also meant any credit card application, or any attempt to sign up to a new utility service, was likely to be knocked back, the credit agency said.
The genesis of Gaston's problem, she would eventually work out, dated back to August 2019 when she applied to be part of the Ministry of Culture and Heritage's Tuia 250 project - a series of commemorations marking 250 years since Captain Cook landed in New Zealand.
On August 25, 2019 - after being alerted by the parent of one of the applicants, who saw their child's stolen ID used in a bid for proof-of-identity on Trade Me - the ministry said it had suffered a serious privacy breach that had exposed details of Tuia 250 applicants. Scans of some 373 proof-of-identity documents, including drivers licences, birth certificates and passports were involved.
The ministry said it had alerted every applicant, and spent $25,000 arranging replacement documents for applicants - including a new driver's licence for Gaston. But the librarian said she thought nothing of it at the time.
"I didn't think a driver's licence would be enough to get credit in my name," she told the Herald. Even when her bank alerted her in January, she was incredulous.
"My immediate thought was, 'It can't be identity theft. It doesn't happen in New Zealand."
But it had. An ID thief had used her licence to obtain a line of credit from a finance company, then rack up bad debts with a phone company, an online retailer and some 18 other businesses.
Still totally naive about the world of ID theft, she approached a major credit agency, assuming that the Ministry of Culture and Heritage openly admitting its security blunder, and police investigation, would make restoring her credit record an easy matter.
It was not.
Gaston was told she would have to approach each of the 20 companies carrying the offender's bad debt individually.
That began a slog between phone trees and call-backs and assembling documentation that took the librarian more than 200 hours.
It would be November 2020 before the "long, complex and confusing" process was complete and Gaston could reapply for a home loan.
But by that time, housing prices in Wellington had increased substantially.
"Because of the event, I'd been priced out of the market," Gaston says. (According to the Real Estate Institute of NZ, Wellington saw a 24 per cent increase in its median house price from $718,000 in February 2020 to $890,000 in February 2021.
The defeat was especially bitter because Gaston's key reason for buying a house was so that her mother, who has Parkinson's disease, could live with her.
"It also caused me to develop a chronic illness," she said. She blamed an eczema breakout on stress caused by the incident.
Independent report finds faults
During her bid to clear her name, Gaston tried calling a hotline set up by the Ministry of Culture and Heritage after its data breach, only to find it had been disabled.
She did discover that in December 2019, the ministry released an independent report (by RDC Group) into the incident that found the website built for Tuia 250 applications had been signed off without security testing - and that testing would have discovered that applicants' identity documents had inadvertently been stored in a public folder.
Security concerns about the Tuia 250 site were raised, and it was taken offline between June 8 and June 12, 2019, but applicants' documentation "remained in an insecure
environment from the first deployment of the online application process until the website
was taken down on 22 August 2019," the report found.
Multiple Privacy Act breaches
The report also noted the Tuia 250 website had breached several principles of the Privacy Act by:
• Collecting more personal information than was required to make decisions about applicants;
• Failing to store that information securely; and
• Retaining the information longer than necessary. There was no reason to store the applicants' data after the decision had been made.
In Gaston's view, the multiple failures identified by the independent report revealed a pattern of negligence - and in its wake, she had been provided with little support.
She complained to the office of Privacy Commissioner John Edwards, who thought she had a case and brokered a meeting between Gaston and Ministry of Culture and Heritage staff.
"It was a healing experience," to talk to the people involved, Gaston said.
The librarian also got a financial as a result of the meeting. (The ministry declined to talk about individual cases or address if other settlements had been paid).
Although it fell far short of the financial damage she had suffered, Gaston said she appreciated the gesture. She told the Herald she would likely donate the money to a charity.
Who ya gonna call?
Another positive outcome from approaching the privacy commissioner was that she learned about the existence of IDCare - a non-profit organisation set up to support the victims of identity theft across Australia and New Zealand.
IDCare was founded in 2014 by a former executive director of the Australian Crime Commission, with support on this side of the Tasman from then Justice Minister Amy Adams.
It handled New Zealand cases from Australia until 2020, when its first NZ office was opened (in Napier).
"What we do and how we do [it] has evolved substantially since 2014, but at the core we remain the same: we are the place people can turn to and have a real person guide them through the steps they need to take to protect themselves," IDCare analyst Kathy Sundstrom says.
"We have also expanded our service to include an Identity Security Operations Centre where a dedicated team of analysts investigate trends from the case notes of those impacted by cybercrime and search the dark net to provide insights for government and organisations and inform directions needed for change."
There's no cost, and you won't be asked to donate (IDCare is funded by its subscribers, who include government departments, and the likes of major banks and airlines, and clients). But you will get assigned a cyber-security case manager.
IDCare has a relatively low profile, yet is still busy.
"On average, we respond to around 50 New Zealand client engagements a day to our New Zealand office and 480 across Australia and NZ combined," Sundstrom says.
What could have been done
So what could the agency have done in the case of the Tuia 250 data breach?
"If we had been engaged by the Ministry for Culture and Heritage to manage the data breach in the first place, Nicole wouldn't have discovered there was no one to talk to about her incident five months after the event," Sundstrom says.
"There is no deadline for accessing our National Case Management Centre if the breached organisation has engaged our services – if someone discovers 10 days or 10 years down the track they have been impacted, our service remains the same.
"Nicole would have been able to speak to a specialised and independent case manager who would have guided her through steps to protect her accounts and her identity, correct the damage that had already taken place (her credit score) and prevent future harm.
"We could have worked with the ministry to ensure that its incident responders were aware of the risks IDCare sees impact the New Zealand community each day when it comes to personal information abuse and the counter-measures available."
A police spokesperson told the Herald an investigation of the Tuia 250 data breach, now concluded without any arrests, "determined the details and identification documents of 329 individuals were accessible online".
The investigation could not establish who accessed the documents or whether they were published anywhere, the spokesperson said.
"Two incidents were reported to police involving two people whose identification documents was accessible online and were later used fraudulently," the spokesperson said.
One person was subsequently charged with dishonestly using a document, but police say they are not clear if that offender got the ID as a result of the Tuia 250 breach.
Response to ID theft investigated
A spokesperson for the Office of the Privacy Commissioner said, "We can confirm that OPC did investigate the Tuia 250 case and facilitated settlement between Dr Gaston and the Ministry of Culture and Heritage.
"As Dr Gaston's story attests, identity theft can have a devastating impact on someone's life."
The public watchdog is also on the front foot, assessing whether credit agencies need to up their game.
"The OPC is investigating credit reporting agencies' response to identity theft and fraud complaints. This is to ensure it is easy for people who find themselves in Dr Gaston's position, the victim of identity theft and credit fraud, to rehabilitate their credit," the spokesperson said.
The Office of the Privacy Commissioner spokesperson also stressed that, like IDCare, it has a strict policy of respecting complainants' right to anonymity.
"The OPC has been authorised by Dr Gaston to comment on the matter. This is a rare exception to OPC's policy of strict confidentiality," they said.
Steps to protect yourself in the event of ID theft
Gaston says if she knew what she knows now at the time of the Tuia 250 data breach, the first thing she would have done was to request "credit file suppression" of her credit record - a step that means there are more hoops to jump through if you want to apply for credit (for third parties can no longer access your credit record without your written permission), but which also makes it less likely that an ID thief can take out credit in your name.
She also plans to be a lot more careful, and questioning, when any site asks for a copy of an ID document.
The Privacy Commissioner says you should contact NZ's three national credit reporters (Centrix, illion, and Equifax) to request that they freeze your credit files.
The Commissioner also recommends you contact IDCare and Crown cybersecurity agency Cert NZ - which can, in turn, direct you to the best police contacts. And if your privacy has been breached, you can also contact the Privacy Commissioner's office.
The privacy commissioner also recommends you should be proactive in monitoring against possible ID theft:
• Keep an eye on your bank accounts and credit cards, and follow up immediately if anything looks odd.
• Check your credit file every six to 12 months or set up a credit alert.
• Check your exposure to identity theft with the Asia Pacific Privacy Authorities' ID Theft tool
An update to the Privacy Act, which came into force on December 1, 2020, makes it mandatory for an organisation to disclose a data breach to the Privacy Commissioner.
You should also take steps to limit the risk of ID theft in the first place. Key measures:
• Have strong, unique passwords for every site, and don't disclose them to anyone.
• Be careful when using public Wi-Fi, and don't do internet banking or make online purchases using it.
• Don't click on links in unsolicited emails, and never give out personal information to a cold-caller or someone whose identity you are not sure of.
• Use the privacy settings on your social media, and remember that anything you put online stays online. If you don't want it to become public, don't put it there. It only takes one friend to forward your photo or comment for the world to see it.