Hundreds of young people have had their sensitive details exposed online - including passports, birth certificates and drivers' licences - due to a security breach on a government website.
In a media conference in Wellington this morning, Ministry for Culture and Heritage chief executive Bernadette Cavanagh apologised for the "completely unacceptable" error and launched an independent review into what went wrong.
Roughly 300 people - most aged between 16 and 20 - had provided the information to the ministry as part of their applications to take part in Tuia 250 commemorations marking 250 years since the James Cook landing.
Ms Cavanagh said their details were uploaded to an external website without sufficient protections and could have been found through a simple Google search.
"Frankly, it was a mistake, it was a coding error, the right protections weren't put in place," she said.
"I'm just so sorry this happened."
Ms Cavanagh said she was ultimately responsible for the breach, but confirmed she had not offered her resignation. She said it was too early to say whether anyone would lose their job.
"I have asked for an external review to see what went wrong in this case and to ensure that the ministry's processes around gathering and storing information is robust."
The ministry was alerted to the breach on Thursday by the parent of an applicant who had discovered their drivers' licence had been used fraudulently to try and purchase concert tickets online.
Government ministers were immediately notified and all information was removed from the site by that evening. The website was shut down completely on Friday.
Personal identification documents that have been compromised include:
- 228 passports (209 NZ, 19 international - Australia, Brazil, China, US, Canada, South Africa, UK, and Denmark)
- 55 driver licences
- 36 birth certificates
- 6 secondary school IDs
- 5 NZ residential visas
Ms Cavanagh said some cached copies of the material could still be found online, but the ministry had approached Google and other search engines to request it be taken down.
All applicants had been contacted and offered replacement documents at no cost, she said.
Situation 'alarming', parent says
Since the Tuia 250 website has been shut down its Facebook page has been busy with people asking if their data had been breached and what the next steps would be.
One Facebook user commented: "I've been contacted about my personal information being shared with a third party? Could someone please explain this to me."
A helpline with the number 0800 624 669 and website has been set up to support people who are impacted by the breach.
A helpline operator said they had not been very busy.
The mother of an applicant - who did not want to be named - told RNZ the whole situation was "alarming".
"Even the phone call and the email we got about it seemed dodgy. It was hard to tell if it was genuine," she said.
She said the error was heightened by the majority of the applicants being young Māori and Pasifika people.
"Unfortunately, it looks like a present day example of a colonialist institution once again being neglectful of the taonga of Te Ao Māori, in this case, their identity.
"It is a huge fail, sadly," she said.
Speaking at the media conference, government chief digital officer Paul James said he would write to all public chief executives to remind them of the standards and policies and to confirm they were complying.
He said it appeared the Tuia 250 website had not been configured according to the required security standards.
"It's a really significant breach and it's definitely regrettable."
Ms Cavanagh confirmed the ministry had commissioned an outside company - which she would not name - to develop the website. She said the company had not been used for any other website.
Prime Minister Jacinda Ardern is responsible for the Ministry for Culture and Heritage, also known as Manatū Taonga.
A spokesperson for Ms Ardern declined a request for an interview, but issued a statement confirming she'd been alerted to the breach.
"This is very disappointing, and Manatū Taonga will be commissioning an external review to determine how this occurred," she said.
"It is too early for me to comment further."
The National Party is demanding the government act quickly to fix whatever problems exist in its cyber security after the breach.
National's Nicky Wagner said the scope of the breach was astonishing.
"It sounds like a mixture of carelessness and naivety to me, this is serious, this is a very large number of young people's information and it's not just their names for example, it's details of passports, driver's licences - I can't believe this has happened."
Ms Wagner said the Prime Minister must ask some tough questions of her officials to fix what went wrong.
Tuia - Encounters 250 (Tuia 250) is an initiative marking 250 years since the first onshore meetings between Māori and Europeans.
The Voyage Trainee programme is an opportunity for New Zealanders to sail aboard the vessels in the Tuia 250 Voyage during October to December of this year.
Tuia 250 Ki Totaranui is expected to be less of a celebration and more a commemoration of history that had impacted all New Zealanders.
The privacy breach comes just months after Treasury said its website had been subject to "deliberate and systematic" hacking. It was later revealed the National Party had accessed sensitive Budget information using the website's search function.