The New Zealand’s Transportation Agency is in the hot seat as a very important USB flash drive containing personal information of at least 1,000 of their employees is missing. Usually, personnel information is stored cryptographically locked in a secure server, however, due to the need to produce identification cards for 1,000+ employees, it needs to be copied to a USB flash drive that went missing.
The USB flash drive came in question went missing while being transported to a 3rd party security firm in Wellington from Auckland’s transportation agency office. The USB flash drive contains records of 1000+ employees containing their picture, full name, email address and their office addresses.
“The programme to issue ID cards is not in response to any one issue but is part of ongoing work to improve security and safety for employees and visitors to our offices,” explained the representative of New Zealand Transportation Agency.
Dr. Shane Reti, spokesperson of the New Zealand National Party Cybersecurity expert refuted the relaxed stance of NZTA about the missing USB, highlighting the dangers it poses to the thousand employees of the agency if the device falls on wrong hands. “It is hard to believe and completely unacceptable that NZTA would courier staff identity data without password protection and without encryption. It’s really easy to password protect a USB and not that hard to encrypt it either,” explained Dr. Reti.
It is very alarming that a government agency will use an unencrypted USB flash drive to sneakernet important data to a remote location, 642.7 KM away from Auckland. Wellington is where the IDs will be manufactured using the data contained in the now lost unencrypted USB flash drive.
Reti don’t want to consider the issue as just a minor inconvenience, but rather just an effect of a can of worms that got opened, ripe for inquiry. Asked for comment by the Parliament, Phil Twyford, the Transportation Minister emphasized that he was only made aware of the incident on December 2, 2018. He also received information that the data stored on the flash storage is not encrypted, and anyone that possess the device can see the files on the clear. The NZTA has done an extensive search to look for the missing USB flash drive to no avail. The courier company while not directly blamed for the incident is also part of the search team tasked to look for it.
NZTA due to this incident is now reviewing their data storage and transport process in order not to have this same incident from recurring. But the National Party is highly considering pushing for changes, as it is suggesting for the Privacy Commission, an independent body to perform a careful audit of the incident. Reti wants nothing but full disclosure and transparency from the Transport Agency about all the details of the case, as the government needs to reassure the citizens that data handling is secure and private. The Privacy Commissioner, John Edwards has not made any comment yet about the issue and neither any of his subordinate officials.