Tuia 250 Privacy Breach – Ministry for Culture and Heritage

This morning I was interviewed by on RNZ National programme ‘Morning Report’. After further queries about this breach it seems appropriate to share a little more detail here for those who are interested. In summary, a website (tuia250.nz) built by a third party for the Ministry for Culture and Heritage unintentionally made available digital copies of the following documents:

• 228 passports (209 NZ passports, 19 international passports from Australia, Brazil, Canada, China, Denmark, South Africa, UK, USA)
• 55 driver licences
• 36 birth certificates
• 6 secondary school IDs
• 5 NZ residential visas

Digital copies of some of these documents are now in the hands of unknown people and there is already a case in which misuse of one of these documents has been attempted. There is risk to all individuals who documents have been compromised – including fraud and identity theft.

How should organisations choose to store digital copies of passports and personal identification?

Choosing how to secure and store this sort of data is a critical organisational decision. It should ideally be directed and signed off by senior staff with both an understanding of the cyber security and the impact of mistake with others data. This might typically include a Chief Information Office (CIO) or a Chief Information Security Officer (CISCO). It seems likely that step didn’t happen in this case – possibly an internal process was missed or lacking in this case. Naturally there is technology for storing personal information within government and businesses that encrypts the data. There are also technologies focused on minimising the risk of the data getting out known as Data Loss Prevention (DLP). In this case it appears the data wasn’t encrypted or protected by DLP software and policy. Organisations that need identification should avoid holding on to this data unnecessarily. If a check can be made quickly without storing copies of documents, that will often cost much less than storing the data due the huge security responsibilities of storing identification documents.

Was the website developer at fault?

It maybe unfair to expect a typical small New Zealand website design firm or website developer to have expertise in how to secure such critical data. This would be different if they were a large technology provider contracted for this job because of their specialist skills in dealing with data of this nature and were contracted specifically to put suitable protections in place.

How should individuals react to requests for copies of their identification documents?

Whenever I’m asked for a digital or paper copy of my identification documents (such as a passport or driver license) i usually look to see if there is an alternative. I understand some organisations need to view this information, but in many cases they should not be storing it. If I’m providing a copy of my passport, I’d prefer to know that data would be immediately destroyed – or that it were protected by an enterprise grade DLP (data loss prevention) system. As I mentioned on Morning Report, dealing with Identification documents is challenging for many organisations now – many ask for copies of Passports and Driver Licenses and choose to store them. Knowing how poor security of this data can be, I often refuse to supply copies of a passport or driver license digitally, and I request paper copies are shredded or returned to me.

Is current legislation around copying personal identification documents adequate?

I haven’t read the related legislation however current practices around copying personal data seem very loose and I believe it’s time the government considered how we reduce further risks.