[BreachExchange] SAP apologises after NZ firearms registry upgrade privacy breach

Destry Winant destry at riskbasedsecurity.com
Tue Dec 3 10:09:39 EST 2019


Gun buyback site shut down.

A systems update by SAP for the cloud platform used by the New Zealand
police as part of its government-mandated gun buyback of
semi-automatic rifles caused a privacy breach, leading to the entire
online system being shut down.

Deputy commissioner Mike Clement said the problem was reported to NZ
police by an arms dealer with legitimate access to the firearm buyback
site, who was able to view details of gun owners.

The New Zealand government instigated a buyback programme for
semi-automatic firearms after the Christchurch mosque shootings in
March this year that killed 51 people. and injured 49, the deadliest
such attack in the country's recent history.

NZ police were notified of the privacy breach on Monday morning.

Clement said that the system update was not authorised by the police,
and lead to arms dealers having a higher level of access to
notifications in the registry database than they should have had.

Police said only one dealer logged in after the update, making the
breach an isolated incident. The personal details of gun owners,
particularly location based data, is regarded as acutely sensitive.

A spokesperson for SAP confirmed the German enterprise software vendor
was notified of a security breach to the New Zealand police gun
buyback system..

The SAP spokesperson said that as soon as the full details of this
incident were understood, all user profiles on the system, except for
SAP consultants investigating, were locked, and remain so.

A total of 66 arms dealers in the system were assigned the wrong
profile due to human error by SAP, the spokesperson said.

"We unreservedly apologise to New Zealand Police and the citizens of
New Zealand for this error," the SAP spokesperson said.

While investigations into the botched upgrade continue, the police
managed buyback programme will continue manually.

More information about the BreachExchange mailing list