Passports, drivers' licences and birth certificate details have been exposed to fraudsters after a serious Government digital privacy breach.
The Ministry for Culture and Heritage says 302 young people supplied their details to it as part of an application for the Tuia 250 Voyage trainee programme.
These were uploaded to an external website which was then compromised, exposing their details.
- Inside the Budget breach: What we know
- Where you’re getting the Treasury budget data breach story all wrong
- Budget 2019 scandal: Beehive allegedly warned Treasury wasn't hacked
"I would like to apologise to all people affected by this breach," says ministry chief executive Bernadette Cavanagh. "I acknowledge that this is completely unacceptable and am using every resource available to me to support them through this issue."
The issue was identified after a parent of one of the applicants alerted the ministry on Thursday 22 to a fraud attempt using a copy of a driver licence stored on the site.
The website was shut down on Friday, August 23 - however information from investigations so far shows that at least 370 documents have been compromised.
"We have let down applicants. They trusted us with their sensitive information and documents and we recognise that for many people their personal information is taonga. The level of security required to keep that information confidential simply wasn't good enough," Cavanagh says.
"I have asked for an external review to see what went wrong in this case and to ensure that the ministry's processes around gathering and storing information is robust. I would like to sincerely apologise to those impacted by this situation. My number one focus is ensuring that affected people have the level of support they need."
Police and the Ministry for Culture and Heritage are now investigating.