NZ bans use of unapproved ICT suppliers

The New Zealand government has banned the use of ICT products and services from unapproved suppliers following a data breach involving the personal information of over 300 people.

The breach, reported by the Ministry of Arts Culture and Heritage, involved an unnamed ICT provider inadvertently leaking sensitive personal information submitted to the Tuia 250 website.

The website was soliciting trainee applicants for an in-progress commemorative voyage acknowledging the first onshore encounters between Maori and British settlers in 1769.

Images of documents provided by the applicants, including passports, driver’s licences and birth certificates, may have been publicly available online since June 2019.

Initial investigations indicate that the breach was not the result of a targeted attack, but rather an opportunistic find of insecure information, the Ministry said.

In the wake of the breach, New Zealand Prime Minister Jacinda Ardern has announced the introduction of mandatory requirements for “small agencies” to only procure products and services from the list of approved providers on the all-of-government ICT common capabilities list.

Small agencies refers not to the size of the department but of their ICT footprint, so the list includes important agencies such as the Department of the Prime Minister and Cabinet, Treasury, State Services Commission and the Ministry of Defence.

The requirements, which will also apply to the Ministries of Transport and Housing as well as the Ministries for Women and Pacific Peoples, will also compel agencies to review current and future planned ICT projects for security gaps.

Agencies must also implement the security and privacy guidelines from the Government Chief Digital Officer, and secure the office’s certification that they are following the Government Chief Information Officer’s information security standards and policy.

“I can confirm that in the case of the provider who established the Tuia 250 website, they were not on the all-of-government ICT common capabilities list. My understanding is that list has not been mandatory,” Ardern said.

“But... as an interim step, while we work through what needs to occur to prevent this ever happening again, we will now be requiring those small agencies to procure from that list over the near future while we work to ensure the security of all New Zealanders’ data and restore confidence in the systems and the agencies who are providing services to the New Zealand public.”

Ardern said the Ministry of Arts, Culture and Heritage is working with Google to remove the caching of the leaked information.

Image credit: ©stock.adobe.com/au/davidscar

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.