Privacy breach with the Tuia 250 Voyage website
MANATŪ TAONGA MINISTRY FOR CULTURE AND
HERITAGE MEDIA
RELEASE
25 August
2019
Privacy breach
identified with the Tuia 250 Voyage Trainee website
Manatū Taonga Ministry
for Culture and Heritage is investigating a serious digital
privacy breach involving the Tuia 250 Voyage Trainee
programme.
The breach could impact 302 people who applied for the programme and provided personal details as part of the process. The Ministry has undertaken specialist security investigations to identify the scope of the breach.
“I would like to apologise to all people affected by this breach,” says Ministry Tumu Whakarae Chief Executive Bernadette Cavanagh. “I acknowledge that this is completely unacceptable and am using every resource available to me to support them through this issue.”
“This breach has revealed a serious information management issue on an external site commissioned for the Tuia - Encounters 250 national commemoration of which the Tuia 250 Voyage Trainee programme is a part. Our advice from our security investigators is that this wasn’t a targeted attack on the website, but rather an opportunistic finding of information that wasn’t as secure as it should have been.”
The breach involves the personal details of people who applied to the Tuia 250 Voyage Trainee programme and includes images of passports, driver licences, birth certificates and other forms of identification stored on the website. Information from investigations to date shows that at least 370 documents have been compromised.
The issue was identified after a parent of one of the applicants alerted the Ministry to a fraud attempt using a copy of a driver licence stored on the site. The matter has been referred to police, who are progressing with the complaint.
“We have let down applicants. They trusted us with their sensitive information and documents and we recognise that for many people their personal information is taonga. The level of security required to keep that information confidential simply wasn’t good enough.
“I have asked for an external review to see what went wrong in this case and to ensure that the Ministry’s processes around gathering and storing information is robust. I would like to sincerely apologise to those impacted by this situation. My number one focus is ensuring that affected people have the level of support they need.”
The breach was discovered on Thursday 22 August, and all personal information was immediately removed from storage on the website. On Friday 23 August the website was shut down and a security investigation was undertaken to identify affected parties, allowing us to start calling those affected on Saturday 24 August.
“Our priority has been identifying and contacting affected parties and offering them support.
“We are currently working with Google and other search engines to remove any cached versions of this information. This is a process that could take some time to resolve, but we are committed to doing everything we can to have this information removed.”
A cross-government response team has been established to streamline assistance for affected people and ensure they have access to the support they need – including replacing passports and driver licences where necessary. This includes a freephone call centre and dedicated email address.
“We have contacted all the people affected and are working with them on a case-by-case basis to minimise the impact of the breach and ensure they have access to the support and services they need.”
Note to
editors
The Tuia -
Encounters 250 national commemoration is a programme of
events, education and reflection that celebrates Aotearoa
New Zealand’s Pacific voyaging heritage and acknowledges
the first onshore encounters between Māori and Pākehā in
1769-70.
The Voyage Trainee programme gives New Zealanders the opportunity to sail aboard the vessels in the Tuia 250 Voyage during October to December of this year.