3 Dec 2019

Gun buy-back data breach prompts calls for agencies to step up vigilance

8:19 am on 3 December 2019

Government agencies and police have been told to lift their game in protecting personal details after a breach in the gun buyback scheme allowed names and addresses to be viewed.

No caption

Police Minister Stuart Nash and Police Deputy Commissioner Mike Clement. Photo: RNZ / Dom Thomas

The website has now been temporarily shut down.

Police Deputy Commissioner Mike Clement blamed third-party German software company SAP for the breach.

SAP apologised for the error and said only 66 gun dealers would have had access to those personal details.

Mr Clement told reporters yesterday one dealer had accessed the personal information and notified police.

Nicole McKee, of the Council of Licensed Firearms Owners, said her organisation has been told other people had been able to view the data.

"Our lawyers had received notification from 15 others that they had been able to access that information and several ... said they were able to download all the information that was on that site as well," she said.

Ms McKee said they were in the process of verifying whether all 15 people were gun dealers or simply members of the public.

She told RNZ's Morning Report today that they were able to see names, phone numbers, addresses, bank details, firearms licence numbers, date of birth and the list of firearms, prohibited firearms and prohibited parts.

She said gun owners who had provided their information were concerned for the safety and wellbeing of their families.

"What you've had here is a potential shopping list for criminals ... if that information gets out into the wrong hands then what they have is the ability to produce a fake firearms licence with all of these persons' details, they have the private information to call banks and say that they need to gain access to some of the bank accounts and more importantly they have information on what types of firearms has been held or are currently being held by these licenced owners in their homes."

She acknowledged there was no evidence at this stage that anyone outside the firearms community had accessed the information, but said the breach meant firearms owners had no trust or confidence in the system.

"This was rushed through the entire legislative process including the second tranche that's before us now, the third tranche that's also before us now and the fact that police have said when we told them and government to just slow it down and do it properly, they have said 'we don't need to do that, we can rush this, we can get it done well'. Well, they've failed, it's as simple as that."

Mr Clement however argued that the software provider SAP had assured the police only one person had accessed the data, and said it was not logical to say it had been widely available to the public.

"They've been checking throughout the day yesterday and again overnight and they tell me through their audit systems that exist within the software system that only one person accessed the information and that person is the person who contacted us to say there was a problem ... that person maintains they contacted us and didn't do anything else with it, so it's not available to anybody else," he said.

"I've reached out to COLFO and I'll do it again to say 'well, if you've got these people can you ask them to provide their details to me so we can get in touch with them so we can put those two things together.

He said it would be difficult for any criminal fraternity to have gained access to the data.

"I don't follow the logic ... that would mean that people who are doing the right thing by using the system to process their firearms would then go and use that information and give it to people who are unlicenced. I don't follow the logic but anyway I guess it's a possibility and it would certainly be one of those things that we ensure doesn't occur."

He said SAP had publicly admitted the breach was their fault.

"A fairly unique occurrence for a software company, so I'm full of respect for them doing that. They have as their number one priority the security of information as I'm sure all software companies do - as organisations like ours do.

Gehan Gunasekara from Privacy Foundation New Zealand, which lobbies for privacy rights, was not impressed by the police pointing the finger at the software company.

"There's always a reason isn't there, these things happen," he said.

"[But] everyone's going to be having to lift their game, especially government and the police. You would expect them to be setting the standard."

Mr Gunasekara said there had been too many privacy breaches by government agencies.

Just four months ago, sensitive information on hundreds of young people was exposed online by the Ministry for Culture and Heritage.

Mr Gunasekara said the government had to do better.

"What I would like to see is that privacy is not an afterthought," he said.

"The security aspect needs to be done first ... it's not just a box-ticking exercise."

Barrister Kathryn Dalziel, who specialises in privacy law, agreed.

"We've also got a bit of culture of 'she'll be alright', and sometimes we see that government money is directed into other areas rather than cyber security," she said.

"We've now seen a couple of data breaches this year, I believe that boards looking after government agencies are going to be saying, actually that's a top priority and we're going to be needing to put something in place."

Ms McKee said their members involved with the gun buyback scheme were very concerned.

"At this stage, the alarm bells that we are hearing is more about security for themselves, their families and their homes rather than those who say 'we're not going to hand in [firearms anymore]," she said.

"We have not even been able to process all of the feedback we've had from our members yet."

National Party leader Simon Bridges said estimates showed only about 10 percent of firearm owners had handed in their guns.

He said because of the data breach that number was unlikely to grow.

"In a situation where some, possibly all, of that 10 percent has had their details out there. That is a huge breach of trust," he said.

"It means that people who hadn't handed back - that vast majority of gun owners who might have military style or semi-automatic weapons - are incredibly unlikely to."

Police said the firearms buyback programme would now be using a manual process for data.

German software company SAP said a full internal investigation was under way.

It unreservedly apologised to the police and New Zealand citizens for the error.

Get the RNZ app

for ad-free news and current affairs