A top tech boss at the Ministry of Culture and Heritage (MCH) reviewed the Tuia 250 website's security and declared it "fit for purpose" just two months before a major breach was uncovered, new correspondence shows.

Photo: RNZ / Meriana Johnsen

The security lapse - discovered by a member of the public in August 2019 - compromised the privacy of roughly 300 young people who had uploaded sensitive material while applying to take part in commemorations.

The breach exposed copies of the applicants' passports, birth certificates and drivers' licences online, leaving them able to be found via a simple Google search.

Correspondence obtained by RNZ under the Official Information Act shows the website - which was set up by an external contractor - had been given the all-clear by MCH Chief Information Officer Kenny Townsley.

Emails show Townsley conducted a "security review" of the site in early June 2019 after concerns were raised within the Ministry.

As part of the assessment, he sought assurances from the contractor, but did not personally test that the site was secure.

In an email sent on 11 June, the contractor told the Ministry that the website's security was up to scratch, but admitted the personal data being collected was "not encrypted" while being stored on the server.

Later that day, Townsley wrapped up his "review", concluding that the site was "fit for purpose from a security point of view" and all functions should be enabled.

"Information provided by the website vendor ... does verify that security has been considered as a core requirement and they have put in place security measures that would be deemed reasonable and appropriate," he emailed to senior management.

At no stage was the website directly tested by the Ministry to determine whether it was truly secure and appropriately configured.

Several days after the sign-off, MCH deputy chief executive Tamsin Evans received an internal email alerting her that the Tuia 250 website lacked "any of the usual legal protections or disclaimers found on government websites".

"We need to add this information urgently, especially in light of our online forms through which we are collecting sensitive personal information for our trainee applicants," the email said.

An independent review of the botch-up - released in December - concluded the breach was most likely caused by the contractor having incorrect security settings on files containing personal information.

Photo: RNZ / Charlotte Cook

The report stated, however, that the Ministry was ultimately accountable, highlighting its failure to properly test the website's security or carry out a privacy impact assessment.

"The issues with the security settings and the insecure storage of personal information could have been discovered and rectified if penetration testing of the website had been carried out before the application process went live," the report said.

In response to the report's findings, MCH chief executive Bernadette Cavanagh apologised and said she had taken "immediate action" to improve security systems.

The Ministry has since committed to making security testing mandatory on all technical systems holding personal information.

In a statement to RNZ, Cavanagh said she retained full confidence in Townsley.

"He made recommendations based on all the information he was provided at the time," she said.

Cavanagh reiterated that the Ministry took full responsibility for the breach, had carried out a thorough investigation and was focused on preventing a repeat occurrence.