ID theft ruins home dream
Mortgage application rejected after thieves rack up $20k debt in victim’s name. Chris Keall reports
Nicole Gaston’s dream of buying a house took a hit in January 2020.
She applied for a home loan, only for her bank to turn her down — citing her bad credit record.
The Wellington librarian, who has a doctorate in information studies, thought there must be some mistake.
Her credit record was spotless. Or so she thought.
Her bank said she in fact has more than $20,000 in bad debt associated with her name — something a major credit agency confirmed.
Her 227 or “poor” credit rating also meant any credit card application, or any attempt to sign up to a new utility service, was likely to be knocked back, the credit agency said.
The genesis of Gaston’s problem, she would eventually work out, dated back to August 2019 when she applied to be part of the Ministry of Culture and Heritage’s Tuia 250 project — a series of commemorations marking 250 years since Captain Cook landed in New Zealand.
On August 25, 2019, the ministry said it had suffered a serious privacy breach that had exposed details of Tuia 250 applicants. Scans of some 373 proof-of-identity documents, including drivers licences, birth certificates and passports were involved.
The ministry said it had alerted every applicant, and spent $25,000 arranging replacement documents for applicants — including a new driver’s licence for Gaston. But the librarian said she thought nothing of it at the time.
“I didn’t think a driver’s licence would be enough to get credit in my name,” she told the Weekend Herald. Even when her bank alerted her in January, she was incredulous.
“My immediate thought was, ‘It can’t be identity theft. It doesn’t happen in New Zealand’.”
But it had. An ID thief had used her licence to obtain a line of credit from a finance company, then rack up bad debts with a phone company, an online retailer and some 18 other businesses.
Still totally naive about the world of ID theft, she approached a major credit agency, assuming that the Ministry of Culture and Heritage openly admitting its security blunder, and police investigation, would make restoring her credit record a doddle. It was not.
Gaston was told she would have to approach each of the 20 companies carrying the offender’s bad debt individually.
That began a slog between phone trees and call-backs and assembling documentation that took the librarian more than 200 hours.
It would be November 2020 before the process was complete and Gaston could reapply for a home loan.
But by that time, housing prices in Wellington had greatly increased.
“Because of the event, I’d been priced out of the market,” Gaston says. (According to the Real Estate
Institute of NZ, Wellington saw a 24 per cent increase in its median house price from $718,000 in February 2020 to $890,000 in February 2021.
The defeat was especially bitter because Gaston’s key reason for buying a house was so that her mother, who has Parkinson’s disease, could live with her.
“It also caused me to develop a chronic illness,” she said. She blamed an eczema breakout on stress caused by the incident.
During her bid to clear her name, Gaston tried calling a hotline set up by the Ministry of Culture and Heritage after its data breach, only to find it had been disabled.
She did discover that in December 2019, the ministry released an independent report (by RDC Group) into the incident that found the website built for Tuia 250 applications had been signed off without security testing — and that testing would have discovered that applicants’ identity documents had inadvertently been stored in a public folder.
Security concerns about the Tuia 250 site were raised, and it was taken offline between June 8 and June 12, 2019, but applicants’ documentation “remained in an insecure environment from the first deployment of the online application process until the website was taken down on 22 August 2019,” the report found.
The report also noted the 250 website had breached several principles of the Privacy Act by:
● Collecting more personal information than was required to make decisions about applicants;
● Failing to store that information securely; and
● Retaining the information longer than necessary. There was no reason to store the applicants’ data after the decision had been made.
In Gaston’s view, the multiple failures identified by the independent report revealed a pattern of negligence — and in its wake, she had been provided with little support.
She complained to the office of Privacy Commissioner John Edwards, who brokered a meeting between Gaston and Ministry of Culture and Heritage staff. “It was a healing experience,” to talk to the people involved, Gaston said.
The librarian also got a $10,000 settlement as a result of the meeting, she says (the ministry declined to talk about individual cases or address if other settlements had been paid).
Although it fell far short of the financial damage she had suffered, Gaston said she appreciated the gesture. She told the Weekend Herald she would likely donate the money to a charity.
Another positive outcome from approaching the privacy commissioner was that she learned about the existence of Idcare — a non-profit organisation set up to support the victims of identity theft across Australia and New Zealand.
Idcare was founded in 2014 by a former executive director of the Australian Crime Commission, with support on this side of the Tasman from then Justice Minister Amy Adams.
It handled New Zealand cases from Australia until 2020, when its first NZ office was opened (in Napier).
“We are the place people can turn to and have a real person guide them through the steps they need to take to protect themselves,” Idcare analyst Kathy Sundstrom says.
“[Our service includes] an Identity Security Operations Centre where a dedicated team of analysts investigate trends from the case notes of those impacted by cybercrime and search the dark net to provide insights for government and organisations and inform directions needed for change.”
There’s no cost, and you won’t be asked to donate (Idcare is funded by its subscribers, which include the likes of government departments, major banks and airlines).
But you will get assigned a cyber-security case manager.
Idcare has a relatively low profile, yet is still busy.
“On average, we respond to around 50 New Zealand client engagements a day to our New Zealand office and 480 across Australia and NZ,” Sundstrom says.
So what could the agency have done in the case of the Tuia 250 data breach?
“If we had been engaged by the Ministry for Culture and Heritage to manage the data breach in the first place, Nicole wouldn’t have discovered there was no one to talk to about her incident five months after the event,” Sundstrom says.
“There is no deadline for accessing our National Case Management Centre if the breached organisation has engaged our services — if someone discovers 10 days or 10 years down the track they have been impacted, our service remains the same.
“Nicole would have been able to speak to a. . . case manager who would have guided her through steps to protect her accounts and her identity, correct the damage that had already taken place (her credit score) and prevent future harm.
“We could have worked with the ministry to ensure that its incident responders were aware of the risks Idcare sees impact the New Zealand community each day when it comes to personal information abuse and the countermeasures available.”
A police spokesperson told the Weekend Herald an investigation of the Tuia 250 data breach, concluded without any arrests, “determined the details and identification documents of 329 individuals were accessible online”.
The investigation could not establish who accessed the documents or if they were published anywhere, the spokesperson said.
One person was subsequently charged with dishonestly using a document, but police say they are not clear if that offender got the ID as a result of the Tuia 250 breach.
“Two incidents were reported to police involving two people whose identification documents was accessible online and were later used fraudulently,” the spokesperson said.
Gaston says if she knew what she knows now at the time of the Tuia 250 data breach, the first thing she would have done was to request “credit file suppression” of her credit record — a step that means there are more hoops to jump through if you want to apply for credit (third parties can no longer access your credit record without your written permission), but which also makes it less likely that an ID thief can take out credit in your name.
She also plans to be a lot more careful, and questioning, when any site asks for a copy of an ID document.
A spokesperson for the Office of the Privacy Commissioner said, “OPC did investigate the Tuia 250 case and facilitated settlement between Dr Gaston and the Ministry of Culture and Heritage. “As Dr Gaston’s story attests, identity theft can have a devastating impact on someone’s life.”
The public watchdog is also on the front foot, assessing whether credit agencies need to up their game.
“The OPC is investigating credit reporting agencies’ response to identity theft and fraud complaints. This is to ensure it is easy for [victims] of identity theft and credit fraud, to rehabilitate their credit,” the spokesperson said.
The Office of the Privacy Commissioner spokesperson also stressed that, like Idcare, it has a strict policy of respecting complainants’ right to anonymity.
“The OPC has been authorised by Dr Gaston to comment on the matter. This is a rare exception to OPC’S policy of strict confidentiality,” they said.
"My immediate thought was, ‘It can’t be identity theft. It doesn’t happen in New Zealand.’" Nicole Gaston