Ministry for Culture and Heritage privacy breach

Forums › IT Pro and developers › Ministry for Culture and Heritage privacy breach

openmedia

3324 posts

Uber Geek

Trusted

#255729 26-Aug-2019 14:30

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

Now the follow comments are my own an in no way reflect my current employer

A couple of concerns

The Ministry isn't being transparent about the issue
- For example where was the data being hosted and who was the external company responsible for operating the service
The lack of governance for this project
- The appears to have been no security audit of a service that contains fairly critical confidential information
No one is being held accountable
- and yet they've know about the issue for some time before deciding to go public.

What I'd personally like to see

Security review of all NZ Govt services with a focus on data security
Immediate on-shoring of all NZ Govt data
Disclosure portal so that NZ nationals/residents can request a list of any external parties your data is being shared with
- broken down by agency
- for example passport data being shared for immigration purposes
- options to opt out of data sharing

I'm personally unhappy to see my personal data being hosted offshore by Government departments, but it appears to be an increasing trend as departments move to cloud based platforms.

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

1 | 2

4066 posts

Uber Geek

Trusted

Snowflake

#2306206 26-Aug-2019 14:39

"Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Beccara

1469 posts

Uber Geek

ID Verified

#2306210 26-Aug-2019 14:50

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2306252 26-Aug-2019 15:41

Big cloud providers are certain to have significantly better security available than small local providers who haven’t invested in specialists. This breach illustrates this perfectly.

Beccara

1469 posts

Uber Geek

ID Verified

#2306261 26-Aug-2019 15:52

Yeah the only guys i'd trust in NZ for cloud like this would be Catalyst

edit:// Govt Dept's also have the ISM which is a pretty good framework for this under the PSR. I doubt the root cause of this issue is lacking policy but lacking implementation https://www.nzism.gcsb.govt.nz/

BuffyNZ

241 posts

Master Geek

#2306280 26-Aug-2019 16:16

Beccara:

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

I recall some chatter about how no data stored in the AU can be GDPR compliant.

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/

Recursion: See recursion.
--
“It is important not to let the perfect become the enemy of the good, even when you can agree on what perfect is. Doubly so when you can't. As unpleasant as it is to be trapped by past mistakes, you can't make any progress by being afraid of your own shadow during design.”

--Greg Hudson, Subversion developer

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2306282 26-Aug-2019 16:18

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

Cyril

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2306283 26-Aug-2019 16:19

As a result of having no culture or heritage, thankfully I am unaffected by this :)

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

nztim

3812 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2306308 26-Aug-2019 17:17

BuffyNZ:

Beccara:

AWS/MS cloud options in AU are perfectly fine. Local doesn't mean secure. Access to your data and where it's gone is already covered under privacy act

Can't the AU govt now demand the encryption keys and/or backdoors to all data stored in the AU?

I recall some chatter about how no data stored in the AU can be GDPR compliant.

https://iapp.org/news/a/australias-anti-encryption-collision-with-gdpr-sub-processing/

yes they can, law changed Dec 2018

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Rikkitic

Awrrr
18657 posts

Uber Geek

Lifetime subscriber

#2306356 26-Aug-2019 17:39

openmedia:

I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night

Actually, I did start one in Politics yesterday afternoon but no-one responded.

Plesse igmore amd axxept applogies in adbance fir anu typos

openmedia

3324 posts

Uber Geek

Trusted

#2306406 26-Aug-2019 19:14

Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#2306425 26-Aug-2019 20:01

openmedia:
Regs: "Immediate onshoring of all nz govt data" isnt a solution. Security can be better monitorrd/managed in many offshore hosted services/solutions than in many onshore options.

Except I don't my data to be requested by the AU or US Governments without my knowledge or permission.

A lot of cloud solutions can be configured so that the keys to decrypt are only in the control of the company who buys the service. Not much AU/US can do in that situation except come at the company asking for the keys.

Your data most likely will be easier for a 3rd party to "take" in a local providers infrastructure - where they have less money to spend on threat protections, and information protection.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Beccara

1469 posts

Uber Geek

ID Verified

#2306474 26-Aug-2019 21:21

If a state wants your data it will get your data no matter where it is. There's a reason security levels jump in terms of cost and manpower when your threat model is a state level actor

VirtualKiwi

29 posts

Geek

#2306481 26-Aug-2019 21:31

cyril7:

Not sure if I heard right, but was not the web site that gathered the info in the first place a wordpress one [rolls eyes] if so then not very clever.

Cyril

I looked up the Google cache, and yes, it is (or was) a Wordpress site, using the Divi drag and drop page builder, so likely built by a designer, not a developer from the look of things.

Even worse, looking at the source code, it looks as though it requires Flash!

I've seen some pretty dodgy stuff at times, probably more so from designers, but also sometimes from developers.

Using the same password easily guessable password for multiple websites for the admin admin login.
Using Wordpress with a stack of plugins, with no idea of whether they're secure or not.
Using libraries with known XSS vulnerabilities.
Sites running on http instead of https even though offerings like letsencrypt make https trivial to implement.

I'm a bit disappointed though that the government response is now that only a limited range of suppliers will be considered in future, as this is likely to lock out small providers who do make an effort to take more care with security.

It can be hard enough competing with the Wordpress crowd, without them giving the industry a bad name.

Jogre

182 posts

Master Geek

#2306628 27-Aug-2019 10:13

https://www.reseller.co.nz/article/665671/government-mandates-use-approved-ict-providers-after-security-failure/

Govt Mandate on ICT providers sounds like a reasonable response. The issue isn't the hosting location, it is the people rolling it out without being competent. I think what Microsoft and Amazon are investing in their hosting is not able to be reproduced onshore in terms of the infrastructure and levels of security. But if you use Admin/Admin as the credentials to access, there's no helping you.

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2306635 27-Aug-2019 10:35

The same sort of people who established the approved providers list selected the provider for this Culture and Heritage website. That is, Public Servants.

1 | 2