New Zealand beefs up IT security after government data breach

By on 08/09/2019 | Updated on 04/02/2022
The data breach released information submitted by citizens applying to participate in a voyage marking the 250th anniversary of the first contacts between local Maoris and British settlers, depicted here in a 1769 painting (image courtesy: British Library/Tupaia)

New Zealand has clamped down on government agencies using unvetted IT service providers, following a data breach which saw a supplier inadvertently leak hundreds of people’s personal information.   

The government is taking action to more tightly control rules around privacy and systems security after the breach at the Ministry for Culture and Heritage, which allowed more than 300 people’s birth certificates, passport numbers and drivers’ licences to be viewed online.

In the wake of the breach, prime minister Jacinda Ardern announced that the government will be introducing mandatory requirements for certain agencies to procure all products and services from the list of approved providers on the ‘all-of-government ICT common capabilities list’, with immediate effect.  

The requirements apply to “small agencies”, referring not to the size of the department but of their ICT footprint. The list includes important agencies such as the Department of the Prime Minister and Cabinet, the Ministry of Defence, the State Services Commission, and the Treasury – which was itself embroiled in a recent data breach scandal, in which sensitive government budget information was made public ahead of its official release.

“My understanding is that list [of approved providers] has not been mandatory, but as I’ve set out, as an interim step, while we work through what needs to occur to prevent [a data breach] ever happening again, we will now be requiring those small agencies to procure from that list over the near future while we work to ensure the security of all New Zealanders’ data and restore confidence in the systems and the agencies who are providing services to the New Zealand public,” Ardern said during a post-Cabinet meeting press conference.

The new stricter rules also require agencies to review current and future planned IT projects to identify potential security gaps; implement ‘common capability’ security; adhere to privacy-related guidance from the government chief deputy officer; and obtain certification proving that they are following the government chief information officer’s security standards and policy.

Data breach

The data breach that prompted the move involved inadequate security arrangements by an unnamed IT provider – which was not on the list of approved suppliers – covering sensitive information submitted to the Tuia 250 website, through which people could apply to take part in a commemorative voyage acknowledging the first onshore encounters between Maori and British settlers in 1769.

Images of documents provided by the applicants may have been publicly available online for more than two months before the breach was discovered on 22 August.

Initial investigations indicate that the breach was not the result of a targeted attack, but rather an opportunistic find of insecure information, according to the Ministry for Culture and Heritage.

Ardern said the Ministry is working with Google to remove the caching of the leaked information.

Imposing control

In a January interview with Global Government Forum Tim Occleshaw, New Zealand’s deputy government chief digital officer, spoke about harmonious e-government and the decision that the Office of the Government Chief Digital Officer (OGCDO) should work with agencies on their digital programmes rather than dictate what should be done.

“It’s better to paint a picture of the desired vision, and to have agencies wanting to be on board, as opposed to us constantly trying to fight them or impose controls that they’ll have all sorts of resourceful ways to resist if they wish,” he said. The mandatory requirements announced by Ardern may highlight the limitations of this approach, pointing to the need for tighter central controls over some aspects of IT operations.

About Mia Hunt

Mia is a journalist and editor with a background in covering commercial property, having been market reports and supplements editor at trade title Property Week and deputy editor of Shopping Centre magazine, now known as Retail Destination. She has also undertaken freelance work for several publications including the preview magazine of international trade show, MAPIC, and TES Global (formerly the Times Educational Supplement) and has produced a white paper on energy efficiency in business for E.ON. Between 2014 and 2016, she was a member of the Revo Customer Experience Committee and an ACE Awards judge. Mia graduated from Kingston University with a first-class degree in journalism and was part of the team that produced The River newspaper, which won Publication of the Year at the Guardian Student Media Awards in 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *