NZTA again in hot water after a USB containing data on 1100 employees was 'misplaced'

The USB drive was not password protected and was not encrypted. Photo / File

National says a lost USB drive, containing information on more than 1000 NZTA employees, is a massive security breach and is calling on the Privacy Commissioner to investigate.

The USB drive was misplaced somewhere between Auckland and Wellington late last year, Transport Minister Phil Twyford confirmed in written parliamentary questions a week before Christmas.

He also confirmed the USB drive was not password protected, nor was it encrypted.
It contained the names and email addresses of 1104 NZTA staff.

National's Data and Cybersecurity spokesman Shane Reti said the misplaced drive constitutes a "significant data privacy breach".

"It is hard to believe, and completely unacceptable, that NZTA would courier staff identity data without password protection and without encryption."

But a spokeswoman for NZTA said it believed there was "minimal risk" of a person's identity being stolen.

"In accordance with good cyber security practices the Transport Agency has advised staff not to click on any suspicious emails in coming days and report it through internal IT channels.

"We have also notified the Office of the Privacy Commissioner."

It is unclear from the written questions if the drive was recovered, but Twyford admits it was misplaced.

He said he was made aware of the situation by the NZTA's chair on December 2.

"Transport Minister Phil Twyford is responsible for the NZTA and his lack of transparency over this data loss is another example of NZTA failing under his watch," Reti said.

The lost USB drive is the latest in a string of issues involving NZTA.

In December, its chief executive Fergus Gammie resigned. He had been under fire since it was revealed the NZTA had not been carrying out its regulatory function properly, resulting in thousands of vehicles so far having to be retested for warrants of fitness.

In mid-October, the NZTA board, together with the Minister of Transport Phil Twyford, announced an extensive review of NZTA compliance files by law firm Meredith Connell was under way and a tougher enforcement regime was being implemented.

Reti said NZTA needed to immediately offer all 1104 staff identity theft protection to monitor and protect them if the stolen credentials are used.

"NZTA needs an independent body such as CertNZ or the Privacy Commissioner to urgently review their cybersecurity policies and reassure the public with a report on findings and actions."