#privacy: New Zealand Transport officials red-faced after data breach announcement

data breach

A technology glitch at the New Zealand Transport Agency (NZTA) has led to an embarrassing data breach announcement made by officials at the government body.

The glitch occurred within a data key which was known for its strong cyber-security.

“The transport agency can confirm the Google API was incorrectly left open as part of the Traffic Watcher pre-production set up,” NZTA said in statement.

The high security code is used to gain access to information from an application programming interface (API) hosted by Google. The API was employed to develop Traffic Watcher, a web-based tool for transport operations bodies, maintenance contractors and the police force.

Experts with knowledge of the system described how the unique key was hardcoded into Traffic Watcher upon its soft-launch at the start of this year, meaning that anyone with basic IT skills would have been able to see and copy the key themselves. With the key at their disposal, it would have been easy for unauthorised parties to gain access to further API data with bill costs forwarded to NZTA.

The agency has denied that the New Zealand tax payer has footed the bill, while admitting that there could have been better monitoring of expenses. Officials at the agency are now discussing the potential data breach with data technicians at Google.

In the months of March and July this year, Traffic Watcher was accessed 600 times, a figure which leapt to 3,000 in May. NZTA has not yet said whether the surge in May was down to an insecurity with the key, but details have not emerged about when the key was made secure either.

In a statement, NZTA said:

“There was one known attempt by a contractor to use this API, which Google shut down as part of their management and security processes, and so stopped access.”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/