Whilst we’re so familiar with cyberattacks and internet-based breaches/thefts, it can be easy to forget security breaches can also include the loss of physical devices. This is exactly what happened to the NZTA(New Zealand Transport Agency). During December of 2018, a USB drive containing the information of 1104 employees of the NTZA went missing somewhere between Auckland and Wellington during a transit procedure.
The information contained within the drive was supposed to serve the purpose for creation of new staff identity cards. New Zealand’s transport minister, Phil Twyford, acknowledged the loss as well as delivered the news that the USB drive was neither password protected or encrypted. Talk about poor security! Needless to say, whoever has the drive will have nothing stopping him/her from accessing the names, emails, photos and signatures of the NTZA staff contained in the drive. Included in a document containing answers to parliamentary written questions, the transport minister briefed on the data fields included:
- Date
- First name
- Last name
- Contact email (NZTA email address)
- Type of card (NZTA staff member)
- Lanyard type (12mm black)
- Card holder type (Single sided)
- New or replacement card (new)
- Contractor company if applicable (no content included)
- Photo attached (Yes or No)
- Delivery address for ID card (NZTA premises)
- Further comments (no content included)
- Signature (no content included)
The fear identity theft looms, but a spokesperson for the NZTA tried to dispel this thought by insisting there was very little risk of this happening. Even so, NZTA staff have been advised to be on the lookout and report any suspicious emails.
Shane Reti, the National’s Data and Cybersecurity spokesman had more than a few things to say in a press release:
“National has received documents which show the huge extent of the breach, cynically released by the Government just before the Christmas holidays…It is hard to believe and completely unacceptable that NZTA would courier staff identity data without password protection and without encryption…NZTA needs to immediately offer all 1104 staff identity theft protection to monitor and protect them if the stolen credentials are used. Email addresses may need to be changed and because photographs were included passport monitoring may also be required…The loss of the data drive is consistent with the cybersecurity laziness this Government has shown as Russian cyberattacks on DHBs, lack of 2-factor-authentication at the Ministry of Health, and now the loss of a data drive with no passwords and no encryption…”
It is still unclear whether the USB device has been found or not. The only clue revealed is it was lost between Auckland and Wellington. Considering how expansive both areas are, this doesn’t narrow down the search much.
