Since the New Zealand government moved to ban semi-automatic firearms after 15 March 2019, owners of now-prohibited firearms have been entering their personal details and the details of the firearms into the database Police have been using to manage the buyback process. On Monday 2nd December (18 days before the buyback is scheduled to end) the database has been shut down after it was revealed that users inadvertently had access to other peoples data. The database contains the names, addresses, dates of birth and firearms details of over 27,000 people.
After a few press conferences the official story from Government and Police is that only 1 individual had access to data that wasn’t authorized, and that the records of only 35 people had been compromised – if that’s the case then the breach isn’t anywhere near as severe as it could have been.
The Council of Licensed Firearms Owners (COLFO) however released a statement confirming they had been contacted by a number of individuals claiming they had access to sensitive data while attempting to use the database to register their own firearms. This statement from COLFO is at odds with the official story, and suggests the problem is much larger than Police are willing to admit.
SAP, the 3rd party vendor named as responsible for making the changes causing the breach, has made an apology for it’s role in the breach, though ultimately it is the Police that are running the buyback program and are responsible for its smooth operation and securing the data. Prime Minister Ardern and Police Minister Nash have been very vocal about placing blame on the 3rd party vendor and insisting they are faultless, and while it’s probably fair to say the Prime Minister should not be responsible for the failures of IT projects within Police, the buck ultimately stops with Stuart Nash as the Minister of Police. At the very least, it suggest poor IT management practices within the New Zealand Police.
Many kiwis are speculating that the breach is much larger that the official story is letting on, and that speculation is supported by the fact that Police have elected to keep the database offline for the foreseeable future and switch to a “manual system”, whatever that entails. If the breach was a simple misallocation of dealer access, then it should be a minor operation to remove dealer access entirely and bring the system back online – especially given the period that firearms owners could hand-in to dealers has elapsed, so dealers no longer need access to the system.
If the system was secure outside of the dealer logins, then by far the most sensible solution would be to remove those dealer logins and resume normal operation. The fact that this isn’t being done raises some serious red flags about how accurate the official story is.