New Zealand beefs up IT security after government data breach

New Zealand has clamped down on government agencies using unvetted IT service providers, following a data breach which saw a supplier inadvertently leak hundreds of people’s personal information.
The government is taking action to more tightly control rules around privacy and systems security after the breach at the Ministry for Culture and Heritage, which allowed more than 300 people’s birth certificates, passport numbers and drivers’ licences to be viewed online.
In the wake of the breach, prime minister Jacinda Ardern announced that the government will be introducing mandatory requirements for certain agencies to procure all products and services from the list of approved providers on the ‘all-of-government ICT common capabilities list’, with immediate effect.
The requirements apply to “small agencies”, referring not to the size of the department but of their ICT footprint. The list includes important agencies such as the Department of the Prime Minister and Cabinet, the Ministry of Defence, the State Services Commission, and the Treasury – which was itself embroiled in a recent data breach scandal, in which sensitive government budget information was made public ahead of its official release.
“My understanding is that list [of approved providers] has not been mandatory, but as I’ve set out, as an interim step, while we work through what needs to occur to prevent [a data breach] ever happening again, we will now be requiring those small agencies to procure from that list over the near future while we work to ensure the security of all New Zealanders’ data and restore confidence in the systems and the agencies who are providing services to the New Zealand public,” Ardern said during a post-Cabinet meeting press conference.
The new stricter rules also require agencies to review current and future planned IT projects to identify potential security gaps; implement ‘common capability’ security; adhere to privacy-related guidance from the government chief deputy officer; and obtain certification proving that they are following the government chief information officer’s security standards and policy.
Data breach
The data breach that prompted the move involved inadequate security arrangements by an unnamed IT provider – which was not on the list of approved suppliers – covering sensitive information submitted to the Tuia 250 website, through which people could apply to take part in a commemorative voyage acknowledging the first onshore encounters between Maori and British settlers in 1769.
Images of documents provided by the applicants may have been publicly available online for more than two months before the breach was discovered on 22 August.
Initial investigations indicate that the breach was not the result of a targeted attack, but rather an opportunistic find of insecure information, according to the Ministry for Culture and Heritage.
Ardern said the Ministry is working with Google to remove the caching of the leaked information.
Imposing control
In a January interview with Global Government Forum Tim Occleshaw, New Zealand’s deputy government chief digital officer, spoke about harmonious e-government and the decision that the Office of the Government Chief Digital Officer (OGCDO) should work with agencies on their digital programmes rather than dictate what should be done.
“It’s better to paint a picture of the desired vision, and to have agencies wanting to be on board, as opposed to us constantly trying to fight them or impose controls that they’ll have all sorts of resourceful ways to resist if they wish,” he said. The mandatory requirements announced by Ardern may highlight the limitations of this approach, pointing to the need for tighter central controls over some aspects of IT operations.