2 Dec 2019

Police gun buyback scheme continues as company fixes data breach

7:04 pm on 2 December 2019

Police say the gun buyback programme will continue - despite a privacy breach the deputy commissioner blames on a software update.

Police Deputy Commissioner Mike Clement.

Photo: RNZ / Dom Thomas

Earlier today, the police website for the national firearms buyback scheme was shut down after a member of the public alerted authorities to the data breach.

During a press conference this evening, deputy commissioner Mike Clement said a dealer notified police of the situation this morning.

Mr Clement said that dealer was able to access and view details of gun owners after a software update caused the privacy breach.

He said the breach was traced to an online update from German software provider SAP last week, which had provided users with greater access to gun owners' details on the database.

Mr Clement said the update was initiated without police approval and that notification platform had been taken offline until the company could assure police it had been fully secured.

He told Checkpoint it was a human error and that police took an hour to shut the site down after they were alerted to it.

"What we've been trying to do is work with dealers to give them the information they need to better process the firearms that they come into contact with and what we've been trying to do over time is to develop that software and meet that purpose," he said.

"It was supposed to go into a testing environment, the software solution and by a human error, to went into production, or the live site. So the information was available and it shouldn't have been."

He said he was disappointed with the company's mistake, but the public should be assured their private details were safe, despite the glitch.

"We found it about it, we closed the access to it very quickly and we're moving to work out what has happened so we can get on with the buyback. This is an unfortunate setback but we will get the the bottom of it."

He said SAP was analysing its audit log data and would confirm tomorrow whether only one dealer accessed the information, who Mr Clement said had done the right thing is immediately contacting police. Police would also reveal what, if anything, was done with that information.

Police would be doing additional checks before the site was re-established.

A police statement said: "The firearms buy-back programme is continuing and we will be using a manual process to manage the return of prohibited firearms."

The Office of the Privacy Commissioner was being informed of events, while police worked through a list of individual's whose details had been accessed.

In a statement, the Council of Licensed Firearms Owners (COLFO) denounced the "shocking development" and claimed the full details of banned firearms and their location had been "available online to the public".

Police Minister Stuart Nash however, assured gun owners their private information had not been exposed to the wider public.

Speaking at Parliament, Mr Nash told reporters it appeared only some "approved firearms dealers" had been able to access the sensitive data, including contact and bank details.

"I do need to stress that this information was not publicly available," he said

"I'm extremely disappointed at the potential for any breach," Mr Nash said.

Asked whether there would be any consequences for the incident, Mr Nash said: "Let's get to the bottom of how this occurred."

In the meantime, he issued a warning to anyone who had seen or downloaded the data.

"It is illegal, I understand, to even download that information, but it is certainly illegal to distribute that information. And so my advice to anyone who does have that information is to delete it, because if they do distribute it, they will get a knock on their door."

Mr Nash said he understood that, so far, the only person who had shared the information - with redactions - was COLFO's lawyer.