4 January 2018
NZTA’s lost USB drive massive security breach
A lost computer drive by the New Zealand Transport Agency (NZTA) between Wellington and Auckland earlier this month was
potentially far more damaging than the ‘little risk of personal identity theft’ described by NZTA at the time,
National’s Data and Cybersecurity spokesperson Dr Shane Reti says.
“National has received documents which show the huge extent of the breach, cynically released by the Government just
before the Christmas holidays.
“We now know the lost USB drive contained information for staff identity cards for 1104 individuals including names,
email addresses, photos and signatures.
“This constitutes a significant data privacy breach that cannot be swept under the table as ‘little risk of personal
identity theft’.
“It is hard to believe and completely unacceptable that NZTA would courier staff identity data without password
protection and without encryption.
“NZTA needs to immediately offer all 1104 staff identity theft protection to monitor and protect them if the stolen
credentials are used. Email addresses may need to be changed and because photographs were included passport monitoring
may also be required.
“NZTA needs an independent body such as CertNZ or the Privacy Commissioner to urgently review their cybersecurity
policies and reassure the public with a report on findings and actions.
“The loss of the data drive is consistent with the cybersecurity laziness this Government has shown as Russian
cyberattacks on DHBs, lack of 2-factor-authentication at the Ministry of Health, and now the loss of a data drive with
no passwords and no encryption.
“Transport Minister Phil Twyford is responsible for the NZTA and his lack of transparency over this data loss is another
example of NZTA failing under his watch.”
Attachment: Answers to Parliamentary Written Questions