cfo-nz logo
Story image

NZ Police & research firm caught up in data breach

16 Jul 2020

The New Zealand Police and an unnamed research firm have been caught up in a data breach that may have leaked details of some people who have had contact with police.

The research firm, which conducts service quality research on behalf of the police, flagged the breach and notified police.

The firm believes that the breach could have compromised contact details of a number of people who have had contact with the police.

Police assistant commissioner Jevon McSkimming says that the police and the high tech cyber crime team is now investigating the breach to understand its scope and potential impact.

“Once we have a better understanding of the real risk to people, and the potential impact, we will look to inform those who may have been affected,” says McSkimming.

“NZ Police has suspended provision of any further information to the company and surveying until our investigations are complete."

Last year the police force was caught in a privacy bungle related to the firearms buy-back programme. A legitimate firearms dealer was able to view personal details belonging to owners of firearms.

Deputy Commissioner Mike Clement said in December 2019 that, “We have been able to identify the error back to an update made by our vendor last week which provided dealers a higher level of access to the notifications database. The update was not authorised by Police.”

“We take the privacy of the public information we hold seriously and we will undertake our own additional checks to ensure the system is secure before the online notification platform is re-established.”

The vendor was named as software company SAP. A spokesperson from the company commented:

"SAP can confirm it was notified of a security breach to the New Zealand Police gun buyback system this morning. The security breach indicated that a single dealer user had accessed information not intended to its user profile. As soon as the full details of this incident were understood, all user profiles on the system, except for SAP consultants investigating, were locked, and remain so."

"As part of new features intended for the platform, security profiles were to be updated to allow certain users to be able to create citizens records. A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP."

The New Zealand Police has also issued these guidelines to help people stay safe online.

  • Be cautious about emails or phone calls asking you to update or verify your details online
  • Be cautious of emails saying you’ve won prizes from competitions that you don’t remember entering
  • Be cautious of emails that try to get you to act quickly by threatening you with legal action or loss of an account
  • Ignore any emails asking you to provide personal information like passwords, or banking information
  • Remember legitimate organisations like banks will never ask you to send them your password
  • Only open email attachments when you’re expecting them, even if you know who the sender is
  • If you’re unsure if an email is from a legitimate organisation, you can contact them to ask. If you do contact them, make sure you go through their official contact channels – don’t use the phone numbers, websites or email addresses included in the email.