Platform should have been tested, expert says

Sunday, 25 August 2019

Manatū Taonga Ministry for Culture and Heritage chief executive Bernadette Cavanagh says more than 300 people who had applied to be part of the Tuia 250 sailings around the New Zealand coast have been affected by a digital privacy security breach.

In the wake of the Government's latest data breach, a cyber security expert is questioning why people's personal information was allowed to be so easy to access.

The Ministry for Culture and Heritage revealed on Sunday more than 300 people had their personal documents compromised on a ministry-commissioned website.

AUT's head of computer sciences Dave Parry said any website holding important information, whether it be Government or private, should be tested as secure before being allowed to hold this data.

He said this kind of breach was especially serious because people's critical identity information was so readily available.

* National Party pulls Gerry Brownlee Facebook ad following Advertising Standards Authority complaint

* Woman's Bomb Point Drive address banned from online gift card message

* Just Jeans and Jay Jays owner the latest business affected by Page Up hack

* Nib job applicants also at risk of the Page Up data breach**

'It has not been done by social engineering by sending out phishing emails or getting people to give passwords away. The actual data was on the website itself and websites are often vulnerable.'

Websites should be tested for security against hackers.

'That raises very serious questions about who has breached it and how come nobody tested it to make sure they didn't.'

Parry said if the Government was collecting any potentially sensitive information, outside contractors should be made to show that the security had been verified as part of their contract.

Having data such as driver's licence numbers, passport details and birth certificates in the wrong hands can lead to so many areas of people's lives being insecure.

'Once they've got that sort of information on people, that's what they use to validate everything else.

'The people involved are going to have to contact a fair number of organisations to let them know that this has happened.'

This data breach comes not long after last month's release of the Government's New Zealand Cyber Security Strategy 2019

'It's a good strategy, but there's a lack of understanding about the consequences of being careless in this area.

'There are very few checks and balances within organisations, and the Government is one of them, that actually look to find the problem.'

It wasn't good enough just to try and be secure, it had to be tested, he said.

'You can't just do best effort, you actually have to test.'

He questioned why critical information such as was exposed in this latest breach would be loaded onto a website in the first place.

'You've really got to consider, what do you really need and is there some other way of getting it without having it on a public facing website?'

He said there were tools available on the dark web for hackers to scour the internet for vulnerabilities in websites such as these.