NZ spies not privy to torture
The NZ Transport Agency has admitted to a technology botch-up, leaving what was meant to be a highly secure data key wide open.
‘‘The transport agency can confirm the Google API was incorrectly left open as part of the Traffic Watcher pre-production set up,’’ NZTA said.
The key is a unique code used to access data from Google’s application programming interface (API), in this case through 2018 and in early 2019.
It was used to build Traffic Watcher, an online tool for transport operations centres, maintenance contractors and the police.
Sources familiar with the system said that when Traffic Watcher was soft-launched early this year, this unique key was hardcoded into it, so those with simple IT skills could view and copy it. With that key, it was possible to access other API data with billing passed to NZTA.
NZTA denied the bungle cost taxpayers but admitted it did not keep track of such expenses.
It is now in talks with Google about a possible data breach.
Traffic Watcher was accessed 600 times in March and July this year but almost 3000 times in May.
NZTA has not confirmed if the May surge was because of the insecure key, did not say when it finally secured the key, nor has it provided the earlier site usage figures. However, it has confirmed to Radio NZ that it corresponded with Google about a breach or possible breach of data storage. Google declined to comment.
Radio NZ’S request for details was rejected by NZTA on commercial sensitivity grounds.
‘‘There was one known attempt by a contractor to use this API, which Google shut down,’’ NZTA said. – RNZ