A top tech boss at the Ministry of Culture and Heritage (MCH) reviewed the Tuia 250 website's security and declared it
"fit for purpose" just two months before a major breach was uncovered, new correspondence shows.The waka flotilla arrives in the bay as part of the Tuia 250. Photo: RNZ / Meriana Johnsen
The security lapse - discovered by a member of the public in August 2019 - compromised the privacy of roughly 300 young people who had uploaded sensitive material while applying to take part in commemorations.
The breach exposed copies of the applicants' passports, birth certificates and drivers' licences online, leaving them
able to be found via a simple Google search.
Correspondence obtained by RNZ under the Official Information Act shows the website - which was set up by an external
contractor - had been given the all-clear by MCH Chief Information Officer Kenny Townsley.
Emails show Townsley conducted a "security review" of the site in early June 2019 after concerns were raised within the
Ministry.
As part of the assessment, he sought assurances from the contractor, but did not personally test that the site was
secure.
In an email sent on 11 June, the contractor told the Ministry that the website's security was up to scratch, but
admitted the personal data being collected was "not encrypted" while being stored on the server.
Later that day, Townsley wrapped up his "review", concluding that the site was "fit for purpose from a security point of
view" and all functions should be enabled.
"Information provided by the website vendor ... does verify that security has been considered as a core requirement and
they have put in place security measures that would be deemed reasonable and appropriate," he emailed to senior
management.
At no stage was the website directly tested by the Ministry to determine whether it was truly secure and appropriately
configured.
Several days after the sign-off, MCH deputy chief executive Tamsin Evans received an internal email alerting her that
the Tuia 250 website lacked "any of the usual legal protections or disclaimers found on government websites".
"We need to add this information urgently, especially in light of our online forms through which we are collecting
sensitive personal information for our trainee applicants," the email said.
An independent review of the botch-up - released in December - concluded the breach was most likely caused by the contractor having incorrect security settings on files containing
personal information.
The report stated, however, that the Ministry was ultimately accountable, highlighting its failure to properly test the
website's security or carry out a privacy impact assessment.
"The issues with the security settings and the insecure storage of personal information could have been discovered and
rectified if penetration testing of the website had been carried out before the application process went live," the
report said.
In response to the report's findings, MCH chief executive Bernadette Cavanagh apologised and said she had taken
"immediate action" to improve security systems.
The Ministry has since committed to making security testing mandatory on all technical systems holding personal
information.
In a statement to RNZ, Cavanagh said she retained full confidence in Townsley.
"He made recommendations based on all the information he was provided at the time," she said.
Cavanagh reiterated that the Ministry took full responsibility for the breach, had carried out a thorough investigation
and was focused on preventing a repeat occurrence.