A lost computer drive by the New Zealand Transport Agency (NZTA) between Wellington and Auckland earlier this month was potentially far more damaging than the ‘little risk of personal identity theft’ described by NZTA at the time, National’s Data and Cybersecurity spokesperson Dr Shane Reti says.
“National has received documents which show the huge extent of the breach, cynically released by the Government just before the Christmas holidays.
“We now know the lost USB drive contained information for staff identity cards for 1104 individuals including names, email addresses, photos and signatures.
“This constitutes a significant data privacy breach that cannot be swept under the table as ‘little risk of personal identity theft’.
“It is hard to believe and completely unacceptable that NZTA would courier staff identity data without password protection and without encryption.
“NZTA needs to immediately offer all 1104 staff identity theft protection to monitor and protect them if the stolen credentials are used. Email addresses may need to be changed and because photographs were included passport monitoring may also be required.
“NZTA needs an independent body such as CertNZ or the Privacy Commissioner to urgently review their cybersecurity policies and reassure the public with a report on findings and actions.
“The loss of the data drive is consistent with the cybersecurity laziness this Government has shown as Russian cyberattacks on DHBs, lack of 2-factor-authentication at the Ministry of Health, and now the loss of a data drive with no passwords and no encryption.
“Transport Minister Phil Twyford is responsible for the NZTA and his lack of transparency over this data loss is another example of NZTA failing under his watch.”