Scoop has an Ethical Paywall
Licence needed for work use Learn More
Top Scoops

Book Reviews | Gordon Campbell | Scoop News | Wellington Scoop | Community Scoop | Search

 

Tuia 250 privacy breach: Tech boss signed off on government website with no testing

A top tech boss at the Ministry of Culture and Heritage (MCH) reviewed the Tuia 250 website's security and declared it "fit for purpose" just two months before a major breach was uncovered, new correspondence shows.

The waka flotilla arrives in the bay as part of the Tuia 250. Photo: RNZ / Meriana Johnsen

The security lapse - discovered by a member of the public in August 2019 - compromised the privacy of roughly 300 young people who had uploaded sensitive material while applying to take part in commemorations.

The breach exposed copies of the applicants' passports, birth certificates and drivers' licences online, leaving them able to be found via a simple Google search.

Correspondence obtained by RNZ under the Official Information Act shows the website - which was set up by an external contractor - had been given the all-clear by MCH Chief Information Officer Kenny Townsley.

Emails show Townsley conducted a "security review" of the site in early June 2019 after concerns were raised within the Ministry.

As part of the assessment, he sought assurances from the contractor, but did not personally test that the site was secure.

In an email sent on 11 June, the contractor told the Ministry that the website's security was up to scratch, but admitted the personal data being collected was "not encrypted" while being stored on the server.

Advertisement - scroll to continue reading

Later that day, Townsley wrapped up his "review", concluding that the site was "fit for purpose from a security point of view" and all functions should be enabled.

"Information provided by the website vendor ... does verify that security has been considered as a core requirement and they have put in place security measures that would be deemed reasonable and appropriate," he emailed to senior management.

At no stage was the website directly tested by the Ministry to determine whether it was truly secure and appropriately configured.

Several days after the sign-off, MCH deputy chief executive Tamsin Evans received an internal email alerting her that the Tuia 250 website lacked "any of the usual legal protections or disclaimers found on government websites".

"We need to add this information urgently, especially in light of our online forms through which we are collecting sensitive personal information for our trainee applicants," the email said.

An independent review of the botch-up - released in December - concluded the breach was most likely caused by the contractor having incorrect security settings on files containing personal information.

The report stated, however, that the Ministry was ultimately accountable, highlighting its failure to properly test the website's security or carry out a privacy impact assessment.

"The issues with the security settings and the insecure storage of personal information could have been discovered and rectified if penetration testing of the website had been carried out before the application process went live," the report said.

In response to the report's findings, MCH chief executive Bernadette Cavanagh apologised and said she had taken "immediate action" to improve security systems.

The Ministry has since committed to making security testing mandatory on all technical systems holding personal information.

In a statement to RNZ, Cavanagh said she retained full confidence in Townsley.

"He made recommendations based on all the information he was provided at the time," she said.

Cavanagh reiterated that the Ministry took full responsibility for the breach, had carried out a thorough investigation and was focused on preventing a repeat occurrence.

© Scoop Media

 
 
 
Top Scoops Headlines

 
 
 
 
 
 
 
 
 
 
 
 

Join Our Free Newsletter

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.