KiwiRail's been forced to close a vulnerability on one of its websites which allowed passengers to book fake tickets for free.
The state-owned rail company checks new website features and functions in an online environment called UAT (User Acceptance Testing).
Over the past few months, two of the sites haven't had password protection, allowing fake tickets to be purchased with a made-up credit card number.
A whistleblower contacted Newshub pointing out the loophole, and even booked us on a return train journey from Christchurch to Kaikoura tomorrow to prove it.
It was brought to the state rail company's attention more than two weeks ago by Labour's Clare Curran, who had also been contacted by the whistleblower.
Ms Curran wrote to chief executive officer Peter Reidy about the error, who replied saying it was urgently being fixed.
"To their credit they came back to me quite quickly and said they were sorting it out, but as I understand it, it's still not fixed properly and I think there's a public interest. I think the public do need to know when there are security holes in public-facing websites.
KiwiRail told Newshub its cyber security was never compromised and none of the tickets produced were valid. It's also confirmed the sites are now password protected.
"Although it appeared to you and your source that there was a vulnerability in our website, in fact the integrity of the booking system was never compromised," a spokesperson says.
"What looked like a valid booking reference number was a used number so as soon as it was entered in our system it revealed that the train trip had already been taken, therefore could not be used again."
The company claims it's lost no revenue, but couldn't rule out the possibility someone had used the fake tickets to board a train or a ferry.
Ms Curran says while the vulnerability wasn't a serious breach of personal data like there's been at other departments, she wants this taken seriously.
"It's not Ministry of Justice, it's not MSD, but it is a public-facing website and I do think government agencies and their websites should be water-tight and maybe a review is required," she says.
Transport Minister Simon Bridges hadn't been told about the error until Newshub asked him about it, and he says he'll make enquiries.
"KiwiRail is a business and as far as the Government is concerned, we want it to be as commercial as possible and we can't see money being lost in that sort of way."
KiwiRail says all tickets booked through the test website are invalid and won't work when scanned at check-in.
Newshub.
