A National MP has questions for the PM after it was revealed the Ministry for Culture and Heritage's digital privacy breach affected more people than originally thought.
Last month it was revealed 302 young people had personal details such as their passports, driver licences and birth certificates exposed to fraudsters after a website breach.
The information was supplied as part of an application for the Tuia 250 Voyage trainee programme, and 20 of the young people were internationals.
- Government forced to take urgent steps over data breach
- Embassies and high commissions contacted over digital privacy breach
- 'It shouldn't have happened': Privacy Commissioner John Edwards on Ministry for Culture and Heritage digital breach
It has now been revealed that almost 30 percent more - 403 people - were affected by the breach.
The minister responsible for the Ministry for Culture and Heritage is Prime Minister Jacinda Ardern, and National MP Dr Shane Reti is demanding answers from her.
In written questions to the Prime Minister this week, Dr Reti - MP for Whangārei - asked her if 302 was still the number of young people with personal data breached.
Deputy Labour leader Kelvin Davis, filling in for the PM, said a secondary audit found that the number of "primary" affected people was actually 309, and that 94 people had been affected in a "secondary manner".
Those secondary affected people were applicants' parents whose details were listed on their children's birth certificates.
Davis also revealed that 71 people under the age of 18 had been affected by the breach. This included passport details, driving licences, birth certificates, education-related documents and application forms.
The Prime Minister said from the beginning she has been "very mindful of the fact that we had a portion of people who were affected by the breach who were young".
She said the offer has been made to directly to those affected to replace ID documents, passports or driver licences free of charge.
"That was an offer made straight away. Equally, police were sought for advice in support of those affected," Ardern said during a media stand-up in Tokyo.
The ministry said last month advice from its security investigators was that it wasn't a targeted attack, but rather an "opportunistic find of information" that wasn't as secure as it should have been.
The breach happened when details were uploaded to an externally contracted website which was then compromised, exposing the young peoples' details.
"This is an example where an external contractor sought information and it wasn't held securely," Ardern said.
Dr Reti is concerned about how the website developer was awarded the contract, after Davis revealed the developer was known to at least one ministry staffer.
Davis said the ministry has commissioned an independent review that will "consider the nature and impact of any personal relationships on the breach".
Dr Reti said the public "deserves to know if the website developer was awarded the contract because of a personal relationship rather than following proper procurement processes".
"It's clear the developer wasn't up to the job, and it's worse than we thought... Children's details were leaked on the internet and the ministry doesn't even know who's seen them."
Ardern said there is a "much wider message here".
"We cannot be complacent about people's private data online... We're making moves as a Government to make sure there is a much higher expectation around protecting people's information."
The breach forced the Government to take urgent steps last month to stop its ministries using unapproved contractors for digital projects.