ID theft ruins home dream
Nicole Gaston’s dream of buying a house took a hit in January 2020. She applied for a home loan, only for her bank to turn her down — citing her bad credit record.
The Wellington librarian, who has a doctorate in information studies, thought there must be a mistake. Her credit record was spotless. Or so she thought.
Her bank said she in fact had more than $20,000 in bad debt associated with her name — something a major credit agency confirmed. Her 227 or “poor” credit rating also meant any credit card application, or any attempt to sign up to a new utility service, was likely to be knocked back, the credit agency said.
The genesis of Gaston’s problem, she would eventually work out, dated back to August 2019 when she applied to be part of the Ministry of Culture and Heritage’s Tuia 250 project — a series of commemorations marking 250 years since Captain Cook landed in New Zealand.
On August 25, 2019, the ministry said it had suffered a serious privacy breach that had exposed details of 250 Tuia applicants. Scans of 373 proof-of-identity documents, including drivers’ licences, birth certificates and passports were involved.
The ministry said it had alerted every applicant, and spent $25,000 arranging replacement documents for applicants — including a new driver’s licence for Gaston. But the librarian said she thought nothing of it at the time.
“I didn’t think a driver’s licence would be enough to get credit in my name,” she told the Weekend Herald. Even when her bank alerted her in January, she was incredulous.
“My immediate thought was, ‘It can’t be identity theft. It doesn’t happen in New Zealand’.”
But it had. An ID thief had used her licence to obtain a line of credit from a finance company, then rack up bad debts with a phone company, an online retailer and some 18 other businesses.
Still totally naive about the world of ID theft, she approached a major credit agency, assuming that the Ministry of Culture and Heritage openly admitting its security blunder, and police investigation, would make restoring her credit record a doddle. It was not.
Gaston was told she had to approach each of the 20 companies carrying the bad debt individually. That began a slog between phone trees and call-backs and assembling documentation that took more than 200 hours.
It would be November 2020 before the process was complete and Gaston could reapply for a home loan. But by that time, housing prices in Wellington had greatly increased.
“Because of the event, I’d been priced out of the market,” Gaston says. (According to the Real Estate Institute of NZ, Wellington had a 24 per cent increase in its median house price from $718,000 in February
2020 to $890,000 in February 2021.
The defeat was especially bitter because Gaston’s key reason for buying a house was so that her mother, who has Parkinson’s disease, could live with her.
“It also caused me to develop a chronic illness,” she said. She blamed an eczema breakout on stress.
During her bid to clear her name, Gaston tried calling a hotline set up by the Ministry of Culture and Heritage after its data breach, but it had been disabled.
She did discover that in December 2019, the ministry released an independent report (by RDC Group) into the incident that found the website built for Tuia 250 applications had been signed off without security testing — and that testing would have discovered that applicants’ identity documents had inadvertently been stored in a public folder.
Security concerns about the Tuia 250 site were raised, and it was taken offline between June 8 and June 12, 2019, but applicants’ documentation “remained in an insecure environment from the first deployment of the online application process until the website was taken down on 22 August 2019,” the report found.
The report also noted the 250 website had breached several principles of the Privacy Act by:
● Collecting more personal information than was required to make decisions about applicants;
● Failing to store that information securely; and
● Retaining the information longer than necessary. There was no reason to store the data after the decision had been made.
In Gaston’s view, the multiple failures identified by the independent report revealed a pattern of negligence — and she had been provided little support.
She complained to the office of Privacy Commissioner John Edwards, who brokered a meeting between Gaston and Ministry of Culture and Heritage staff. “It was a healing experience,” to talk to the people involved, Gaston said.
The librarian also got a $10,000 settlement as a result of the meeting, she says (the ministry declined to discuss individual cases or say if other settlements were paid).
Although it fell far short of the financial damage she had suffered, Gaston said she appreciated the gesture. She told the Weekend Herald she would likely donate the money to a charity.
Who ya gonna call?
Another positive outcome from approaching the privacy commissioner was that she learned about Idcare — a non-profit organisation set up to support the victims of identity theft across Australia and New Zealand.
Idcare was founded in 2014 by a former executive director of the Australian Crime Commission, with support on this side of the Tasman from then Justice Minister Amy Adams.
It handled New Zealand cases from Australia until 2020, when its first NZ office was opened (in Napier).
Certnz
Idcare
Privacy Commissioner
“We are the place people can turn to and have a real person guide them through the steps they need to take to protect themselves,” Idcare analyst Kathy Sundstrom says.
“[Our service includes] an Identity Security Operations Centre where a dedicated team of analysts investigate trends from the case notes of those impacted by cybercrime and search the dark net to provide insights for government and organisations and inform directions needed for change.”
There’s no cost, and you won’t be asked to donate (Idcare is funded by its subscribers, which include the likes of government departments, major banks and airlines). But you will get assigned a cyber-security case manager.
Idcare has a relatively low profile, yet is still busy.
“On average, we respond to around 50 New Zealand client engagements a day to our New Zealand office and 480 across Australia
and NZ,” Sundstrom says.
So what could it have done in the Tuia 250 case?
“If we had been engaged by the Ministry for Culture and Heritage to manage the data breach in the first place, Nicole wouldn’t have discovered there was no one to talk to about her incident five months after the event,” Sundstrom says.
“There is no deadline for accessing our National Case Management Centre if the breached organisation has engaged our services — if someone discovers 10 days or 10 years down the track they have been impacted, our service remains the same.
“Nicole would have been able to speak to a . . . case manager who would have guided her through steps to protect her accounts and her identity, correct the damage that had already taken place and prevent future harm.”
Facts elusive
A police spokesperson told the Weekend Herald an investigation of the Tuia 250 data breach, concluded without any arrests, “determined the details and identification documents of 329 individuals were accessible online”.
It was not established who accessed the documents or if they were published anywhere.
One person was subsequently charged with dishonestly using a document, but police were not clear if that person got the ID as a result of the Tuia 250 breach.
“Two incidents were reported to police involving two people whose identification documents was accessible online and were later used fraudulently,” the spokesperson said.
Protect yourself
Gaston says if she knew what she knows now at the time of the data breach, she would have requested “credit file suppression” of her credit record — a step that means there are more hoops to jump through if you apply for credit (third parties can no longer access your credit record without your written permission), but which also makes it less likely an ID thief can get credit in your name.
ID theft response
A spokesperson for the Office of the Privacy Commissioner said, “OPC did investigate the Tuia 250 case and facilitated settlement between Dr Gaston and the Ministry of Culture and Heritage. “As Dr Gaston’s story attests, identity theft can have a devastating impact on someone’s life.”
The public watchdog is also assessing whether credit agencies need to up their game.
The Office of the Privacy Commissioner spokesperson also stressed it had a strict policy of respecting complainants’ right to anonymity: “The OPC has been authorised by Dr Gaston to comment on the matter. This is a rare exception to OPC’S policy of strict confidentiality.”
"My immediate thought was, ‘It can’t be identity theft. It doesn’t happen in New Zealand.’"
Nicole Gaston