SAP fronts up for NZ’s gun buyback data breach

Published on the 11/12/2019 | Written by Jonathan Cotton

SAP gun buyback data breach

Software giant SAP has ‘unreservedly’ apologised for unapproved changes that lead to the data leak…

SAP has taken responsibility for the mistake that revealed the details of gun owners participating in New Zealand’s controversial semi-automatic weapons buyback scheme, put in place following the Christchurch shootings earlier this year.

A statement from the German software company, which is the creator and provider of the notification platform, says that an incorrect update – designed to allow gun retailers to act as agents for those handing in prohibited weapons – caused the breach.

“As part of new features intended for the platform, security profiles were to be updated to allow certain users to be able to create citizens records,” says the software company.

It’s a bad look for a Government apparently struggling to contain sensitive user data stores – or successfully oversee external IT providers like SAP.

“A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP… We unreservedly apologise to New Zealand Police and the citizens of New Zealand for this error.”

The discovery of the breach saw the online platform, where dealers were able to register firearms to police, shut down and the buyback programme moved to a manual process.

SAP was notified of the breach by New Zealand Police. Upon examination, the evidence indicated that an authorised dealer user had accessed information not appropriate for its user profile.

“As soon as the full details of this incident were understood, all user profiles on the system, except for SAP consultants investigating, were locked,” says SAP, which is now conducting an internal investigation into the incident.

“The security of our customers and their data is of absolute priority to us,” says SAP. “We continue to work with and offer our full resources to New Zealand Police to ensure the system is fully secure and up and running again as soon as possible.”

Of course ACT and National are making hay while the sun shines. ACT leader David Seymour is calling for Police Minister Stuart Nash’s head and National is drawing parallels between this and similar recent events, calling 2019 ‘the Government’s year of data breaches’.

“This isn’t the first time there has been a significant data breach under this Government,” says Brett Hudson, National’s police spokesperson.

“There was a breach at the Ministry of Culture and Heritage where information on children had been accessed; staff at NZTA were at risk of personal identity theft after a USB drive containing staff identity cards was lost; private details were stolen from the Commerce Commission; and even Treasury has been breached.

“How can New Zealanders have confidence in the firearms register the Government is proposing when they can’t even protect their personal details in their buyback scheme?”

Whether the buyback scheme is a good idea or not, they might have a point there. At the very least it’s a bad look for a Government apparently struggling to contain sensitive user data stores – or successfully oversee external IT providers like SAP.

Nevertheless, as the dust settles, the impact on actual users participating in the scheme is  likely to be low. While the Council of Licensed Firearms Owners has suggested that the entire user database – 37,000 members – was exposed, the Government, NZ Police and SAP agree the reality is in fact less dramatic, with the details of 35 people (including names, addresses and firearms) accessed by a single dealer, who quickly raised the alert about the flaw

The prohibited firearms amnesty and buyback ends on December 20.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...