NZTA again forced to contact the Privacy Commissioner after another privacy breach

In a statement, Transport Minister Phil Twyford said: "Obviously this isn't ideal but people make mistakes" photo / George Novak

The New Zealand Transport Agency is embroiled in yet another privacy saga, after accidentally revealing the private email addresses of almost 900 people in a mass traffic update email.

This comes not long after the agency was forced to notify the Privacy Commissioner after it lost an unencrypted USB drive containing the personal information of 1000 people.

A spokesman for the Transport Agency (NZTA) confirmed to the Herald that it had contacted the commissioner after its most recent privacy breach.

"We can confirm that an email with a traffic update from the Southern Corridor Improvements project team was sent which left all of the recipients' email addresses visible to other recipients," he said, and added that it was a case of human error.

A further email was sent to all of the 885 affected email recipients on Monday morning, drawing their attention to the error and apologising for it, the spokesman said.

The first email was sent on Friday.

In a statement, Transport Minister Phil Twyford said: "Obviously this isn't ideal but people make mistakes.

"I'm sure the staff involved feel badly about the mistake and they will make sure it doesn't happen again."

But National's cybersecurity spokesman Shane Reti said privacy breaches are becoming a pattern from NZTA.

"Twyford needs to step up and take charge of his agency," he said, adding that this was another example of NZTA failing under his watch.

He said accidently including email addresses in a broadcast email was a "cybersecurity 101" failure, and many sensible organisations have filters that check exactly this sort of thing.

"The Minister needs to own this mistake and urgently cyber credential NZTA."

The NZTA spokesman said the agency takes any breach of privacy "very seriously".

"We regret that this has occurred and steps have been taken to ensure that it is not repeated, including requiring an additional review step before the distribution of such updates."

A spokesman for the Privacy Commissioner said although the breach was "far from ideal," the information disclosed was at the less serious end of the range of personal information.

"While there may be a possibility of harm to an individual resulting from this breach, it is also at the low end of probability."

The privacy breach comes just months after NZTA was forced to notify the Privacy Commission about a lost USB drive, which was misplaced somewhere between Auckland and Wellington late last year.

As well as notifying the Privacy Commissioner, NZTA also launched its own internal investigation.

That investigation has finished and an NZTA spokesman said the report, and its recommendations, would be finalised soon.

But he confirmed the USB stick had still not been found.