Ministry for Culture and Heritage privacy breach

Forums › IT Pro and developers › Ministry for Culture and Heritage privacy breach

openmedia

2114 posts

Uber Geek

Trusted

# 255729 26-Aug-2019 14:30

2 people support this post

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

Now the follow comments are my own an in no way reflect my current employer

A couple of concerns

The Ministry isn't being transparent about the issue
- For example where was the data being hosted and who was the external company responsible for operating the service
The lack of governance for this project
- The appears to have been no security audit of a service that contains fairly critical confidential information
No one is being held accountable
- and yet they've know about the issue for some time before deciding to go public.

What I'd personally like to see

Security review of all NZ Govt services with a focus on data security
Immediate on-shoring of all NZ Govt data
Disclosure portal so that NZ nationals/residents can request a list of any external parties your data is being shared with
- broken down by agency
- for example passport data being shared for immigration purposes
- options to opt out of data sharing

I'm personally unhappy to see my personal data being hosted offshore by Government departments, but it appears to be an increasing trend as departments move to cloud based platforms.

Generally known online as OpenMedia, now working for Red Hat APAC a Technology Evangelist and Product Manager. Still playing with MythTV and digital media on the side.

1 | 2

Cloud Guru
4060 posts

Uber Geek

Trusted

Snowflake

Subscriber

# 2306206 26-Aug-2019 14:39

5 people support this post

"Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Beccara

1098 posts

Uber Geek

# 2306210 26-Aug-2019 14:50

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

BlinkyBill

451 posts

Ultimate Geek

# 2306252 26-Aug-2019 15:41

Big cloud providers are certain to have significantly better security available than small local providers who haven’t invested in specialists. This breach illustrates this perfectly.

BlinkyBill

Beccara

1098 posts

Uber Geek

# 2306261 26-Aug-2019 15:52

One person supports this post

Yeah the only guys i'd trust in NZ for cloud like this would be Catalyst

edit:// Govt Dept's also have the ISM which is a pretty good framework for this under the PSR. I doubt the root cause of this issue is lacking policy but lacking implementation https://www.nzism.gcsb.govt.nz/

BuffyNZ

Will not stab you
237 posts

Master Geek

Subscriber

# 2306280 26-Aug-2019 16:16

Beccara:

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

I recall some chatter about how no data stored in the AU can be GDPR compliant.

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/

Recursion: See recursion.
--
“It is important not to let the perfect become the enemy of the good, even when you can agree on what perfect is. Doubly so when you can't. As unpleasant as it is to be trapped by past mistakes, you can't make any progress by being afraid of your own shadow during design.”

--Greg Hudson, Subversion developer

cyril7

6911 posts

Uber Geek

Trusted

Subscriber

# 2306282 26-Aug-2019 16:18

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

Cyril

networkn

21044 posts

Uber Geek

Trusted

Lifetime subscriber

# 2306283 26-Aug-2019 16:19

2 people support this post

As a result of having no culture or heritage, thankfully I am unaffected by this :)

nztim

37 posts

Geek

# 2306308 26-Aug-2019 17:17

BuffyNZ:

Beccara:

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

I recall some chatter about how no data stored in the AU can be GDPR compliant.

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/

yes they can, law changed Dec 2018

Rikkitic

Fat bottom Trump
10575 posts

Uber Geek

Lifetime subscriber

# 2306356 26-Aug-2019 17:39

openmedia:

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

Actually, I did start one in Politics yesterday afternoon but no-one responded.

I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney

openmedia

2114 posts

Uber Geek

Trusted

# 2306406 26-Aug-2019 19:14

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.

Generally known online as OpenMedia, now working for Red Hat APAC a Technology Evangelist and Product Manager. Still playing with MythTV and digital media on the side.

Regs

Cloud Guru
4060 posts

Uber Geek

Trusted

Snowflake

Subscriber

# 2306425 26-Aug-2019 20:01

2 people support this post

openmedia:
Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.

A lot of cloud solutions can be configured so that the keys to decrypt are only in the control of the company who buys the service. Not much AU/US can do in that situation except come at the company asking for the keys.

Your data most likely will be easier for a 3rd party to "take" in a local providers infrastructure - where they have less money to spend on threat protections, and information protection.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Beccara

1098 posts

Uber Geek

# 2306474 26-Aug-2019 21:21

If a state wants your data it will get your data no matter where it is. There's a reason security levels jump in terms of cost and manpower when your threat model is a state level actor

VirtualKiwi

21 posts

Geek

# 2306481 26-Aug-2019 21:31

cyril7:

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

Cyril

I looked up the Google cache, and yes, it is (or was) a Wordpress site, using the Divi drag and drop page builder, so likely built by a designer, not a developer from the look of things.

Even worse, looking at the source code, it looks as though it requires Flash!

I've seen some pretty dodgy stuff at times, probably more so from designers, but also sometimes from developers.

Using the same password easily guessable password for multiple websites for the admin admin login.
Using Wordpress with a stack of plugins, with no idea of whether they're secure or not.
Using libraries with known XSS vulnerabilities.
Sites running on http instead of https even though offerings like letsencrypt make https trivial to implement.

I'm a bit disappointed though that the government response is now that only a limited range of suppliers will be considered in future, as this is likely to lock out small providers who do make an effort to take more care with security.

It can be hard enough competing with the Wordpress crowd, without them giving the industry a bad name.

Jogre

86 posts

Master Geek

Microsoft NZ

# 2306628 27-Aug-2019 10:13

One person supports this post

https://www.reseller.co.nz/article/665671/government-mandates-use-approved-ict-providers-after-security-failure/

Govt Mandate on ICT providers sounds like a reasonable response. The issue isn't the hosting location, it is the people rolling it out without being competent. I think what Microsoft and Amazon are investing in their hosting is not able to be reproduced onshore in terms of the infrastructure and levels of security. But if you use Admin/Admin as the credentials to access, there's no helping you.

BlinkyBill

451 posts

Ultimate Geek

# 2306635 27-Aug-2019 10:35

The same sort of people who established the approved providers list selected the provider for this Culture and Heritage website. That is, Public Servants.

BlinkyBill

1 | 2