'It shouldn't have happened': Privacy Commissioner John Edwards on Ministry for Culture and Heritage digital breach

The Privacy Commissioner has condemned a security breach that exposed the personal information of hundreds of young people to fraudsters, but he says the breach isn't indicative of a wider problem.

"I don't think this is an issue that affects all platforms with which we interact with Government online," Privacy Commissioner John Edwards told the AM Show on Monday morning.

"This appears to be a problem associated with a third-party provider brought in to facilitate this particular competition."

The Ministry for Culture and Heritage revealed on Sunday that 302 young people who had supplied their details as part of an application for the Tuia 250 Voyage trainee programme were affected by the breach.

The at-risk information includes details from passports, drivers' licences and birth certificates.

Prime Minister Jacinda Ardern said on Sunday the breach was "very disappointing".

Officials said all people affected by the breach have been contacted and appropriate measures were being taken to protect their information.

"One thing I will say about this unfortunate event is that at least the Ministry and other public sector agencies seem to have taken it very seriously. When it's been brought to their attention they have jumped into action," says Edwards.

He says the incident is being viewed as a one-off. Despite the breach, he has confidence in the third-party providers the Government works with when dealing with confidential information online.

"There are pretty good standards and I'm quite satisfied with the level of security applied across most of the public service," he says, adding that it would not be feasible to conduct an audit of all third-party companies the Government works with.

"I'm not sure whether at least off the back of this incident we would consider that to be warranted. I've not seen evidence that this is a widespread thing. Three-hundred identity documents is a serious issue but given the number of transactions that people conduct with Government everyday, I don't think it's indicative of a public-sector-wide problem. 

"I don't think there is a need for people to lose confidence at this stage in their ability to interact online with Government."

In announcing the breach on Sunday, chief executive Bernadette Cavanagh acknowledged her Ministry had "let down applicants". 

“I acknowledge that this is completely unacceptable," Cavanagh said.

As soon as the breach was discovered on August 22, all personal information stored was immediately removed from the website, the Ministry said.The following the day the website was shut down and a security investigation launched.

Cavanagh said the information had been publicly available on a website created for the Tuia 250 event and the issue was identified after a parent of one of the applicants alerted the Ministry to a fraud attempt using a copy of a driver's licence stored on the site.

The fraud attempted wasn't a "targeted attack on the website" but rather an "opportunistic finding of information that wasn't as secure as it should have been".