Key Points:

  • 302 people are affected by a major security breach which has exposed private details of young New Zealanders.
  • 373 separate documents have been compromised - including passports, birth certificates and drivers' licences.
  • The Ministry of Arts, Culture and Heritage has apologised for the breach, saying it was "completely unacceptable".
  • The details are of young people who applied to the ministry to be part of the Tuia 250 commemorations, marking 250 years since Captain Cook landed in New Zealand.
  • The ministry was alerted to the breach by a parent, and all affected people now know about the incident.
  • The breakdown of the documents comprised are: 228 passports (209 NZ, 19 international (Australia, Brazil, China, US, Canada, South Africa, UK, Denmark), 55 driver's licences, 36 birth certificates, 6 secondary school IDs, and 5 NZ residential visas.

Prime Minister Jacinda Ardern says a major government security breach is "very disappointing" after private details of hundreds of young New Zealanders, including passports, birth certificates and drivers' licence details, were exposed on a website.

The young people had supplied their details to the Ministry of Arts, Culture and Heritage (MCH) as part of their applications to sail on the double-hulled canoe Fa'afaite, as part of the Tuia 250 commemorations marking 250 years since James Cook landed in New Zealand.

The breach could impact 302 people who applied for the programme and provided personal details as part of the process.

Advertisement

The ministry was alerted to the breach by a parent. It has apologised, saying the breach is "completely unacceptable".

"The breach – which happened as a result of an information management issue - means that identity documents, and other personal information, were able to be accessed via the Tuia 250 website," Ardern said.

"This is very disappointing, and Manatū Taonga will be commissioning an external review to determine how this occurred. It is too early for me to comment further."

All those affected have been contacted, officials say.

MCH chief executive Bernadette Cavanagh and the Government's chief digital officer, Paul James, outlined the details of the breach in Wellington today.

The breach was discovered on Thursday and the website, a special one set up for the purpose, was shut down on Friday.

Explaining in detail how the breach was detected, Cavanagh said someone had been fraudulently trying to buy a ticket, believed to be a concert ticket, online using the driver licence ID of one of the applicants for Tuia 250.

Ministry for Culture and Heritage chief executive Bernadette Cavanagh. Photo / Supplied
Ministry for Culture and Heritage chief executive Bernadette Cavanagh. Photo / Supplied

The vendor of the ticket thought something was not quite right so contacted the holder of the licence and confirmed that the holder was not the person trying to buy the ticket. Police are investigating.

Advertisement

Cavanagh said she sincerely apologised to those impacted by the breach and said it was a "coding error".

"I would like to apologise to all the people affected by this breach," Cavanagh said.

"I acknowledge that this is completely unacceptable and am using every resource available to me to support them through this issue."

She said that while the trip was open to people aged 16 to 75, the majority of applicants were aged 16 to 20.

Cavanagh said security investigators didn't think it was a targeted attack on the website,
"but rather an opportunistic finding of information that wasn't as secure as it should have been".

The ministry has undertaken specialist security investigations to identify the scope of the breach.

Of ID documents compromised, there were 228 New Zealand passports, 55 driver licences, 36 birth certificates, six school IDs, and five residential visas.

The MCH digital breach comes less than three months after failures of website security at the Treasury during which the National Party Opposition got parts of confidential Budget documents through a simple search.

The Fa'afaite is due to arrive in Gisborne in early October and then visit various centres around New Zealand.

Prime Minister Jacinda Ardern is the Culture and Heritage Minister.

Budget leak:

The incident comes three months after Treasury claimed its website was hacked, allowing the leak of confidential Budget information.

The National Party had released "top secret" details of the Budget, and Treasury said it had evidence that there had been "deliberate and systematic" hacking, with the website accessed more than 2000 times.

The matter was referred to police on the advice of the national cybersecurity unit in the Government Communications Security Bureau. However, it later emerged that National staffers had used a simple search function to get the information.

A subsequent investigation, launched by State Services Commissioner Peter Hughes, into whether former Treasury boss Gabriel Makhlouf misled the Government found he had acted in good faith, but that his actions were not reasonable and he should have taken more personal responsibility.

Makhlouf left the position in late June to take up a role as head of the Irish Central Bank.

A separate inquiry into how sensitive information on the Treasury's website wasn't secure is ongoing. That is looking at what happened, why it happened, the lessons learned, and the actions the Treasury needed to take to prevent it happening again.

Murray Jack is heading that inquiry. He is a professional director, chair of Chartered Accountants Australia and New Zealand and a former member of the board of the Financial Markets Authority. He was previously chairman and chief executive of Deloitte NZ.