One of the biggest data breaches by a government department in 2019 was the Tuia250 data breach by the Ministry of Arts Culture and Heritage, led by Jacinda Ardern. The breach affected more than 300 people including 71 young people and involved 228 passports (209 NZ and 19 international: Australia, Brazil, China, US, Canada, South Africa, UK and Denmark).
To put this breach in scope, I am not aware of any other government department that has breached more young people's data during this current government. To put the breach in context, the same ministry had two previous data breaches before Tuia250 and even after the breach was discovered on August 22 a further data breach occurred a few weeks later on September 5. It would seem Ardern's ministry was responsible for one of the biggest data breaches of young people's data by a government department in 2019.
• Ministry for Culture and Heritage reports serious digital privacy security breach
• Govt clamps down on web service providers after data breach
• Watch: Prime Minister Jacinda Ardern faces questions about massive data breach
• Premium - Audrey Young: How latest privacy breach will impact on Jacinda Ardern's Government
The breach was discovered after a complaint that a driver's licence stored on the site had been used fraudulently. The website was shut down and an independent review ordered. The independent review was to be received by October 18 but was not released until December 18. This was the last day Parliament sat. The timing was somewhat cynical considering the review was not then available for scrutiny under oral questions in the house.
The independent review raises more questions than answers.
What is the nature of the connection between the staff member and the website supplier ? It appears the website supplier was initially recommended by a member of staff with whom there was a "connection and a professional relationship". After a failed attempt at just contracting this one supplier the contract was made contestable and the staff member was removed from decision making, but continued to provide information during the bidding stage just to the original supplier who eventually won. The review states "it is not good practice to only provide assistance to one supplier" effectively meaning the two other suppliers bidding for the contract did not have the same information to bid with. This would not seem a fair and robust process.
The contract for the website was signed off by the deputy chief executive. Did management also know the website supplier and the relationship with the staff member ?
When things went wrong, the website audit logs became crucial. The contract required a standard 12 months of audit logs but the independent review found there were actually only five days of audit logs. Was the supplier robust enough to deliver this project or did a "connection and a professional relationship" become a conflict of interest ?
The ministry's response to the nine recommendations in the review does go some way to addressing the issues, but is clearly too little, too late. The data has escaped into the ecosphere and has already been used fraudulently. The review states there have already been 20 official complaints from applicants.
Air NZ service provider Travelex held to ransom by hackers demanding $8.5m
The Privacy Act 1993 has been recently revised and one area that has been tightened up is the response to data breaches. This will bring us more in line with international jurisdictions who rightfully expect us to look after their data just as we expect our own government to look after and protect our own data. In this particular case, there are still many questions to be asked around the Tuia250 data breach.