I'm surprised that I can't find an existing GZ thread on this given it made TVNZ One's headlines last night
- https://www.stuff.co.nz/national/politics/115272094/ministry-for-culture-and-heritage-privacy-breach-somebody-has-to-be-held-to-account
- https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12261829
- https://www.tvnz.co.nz/one-news/new-zealand/ministry-culture-and-heritage-privacy-breach-victim-somebody-has-held-account
Now the follow comments are my own an in no way reflect my current employer
A couple of concerns
- The Ministry isn't being transparent about the issue
- For example where was the data being hosted and who was the external company responsible for operating the service
- The lack of governance for this project
- The appears to have been no security audit of a service that contains fairly critical confidential information
- No one is being held accountable
- and yet they've know about the issue for some time before deciding to go public.
What I'd personally like to see
- Security review of all NZ Govt services with a focus on data security
- Immediate on-shoring of all NZ Govt data
- Disclosure portal so that NZ nationals/residents can request a list of any external parties your data is being shared with
- broken down by agency
- for example passport data being shared for immigration purposes
- options to opt out of data sharing
I'm personally unhappy to see my personal data being hosted offshore by Government departments, but it appears to be an increasing trend as departments move to cloud based platforms.