[BreachExchange] Phil Goff's emails hacked - 15, 000 emails over 12 years offered for sale

[Destry Winant]

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12306872

Emails apparently sent and received by Auckland mayor Phil Goff over a
12-year period have been offered with a $20,000 price tag and appear
to contain deeply personal information alongside council and
Parliamentary work.

Communications sent to the Herald suggest there has been a complete
grab of Goff's inbox and sent folders. Among many other topics, they
appear to include fundraising plans for Goff's mayoral bid,
"confidential" polling data during last year's campaign and sensitive
business information.

The seller claims to have more than 15,000 emails from an Xtra account
in Goff's name with the database spanning from 2007 to 2019.

Evidence sent by the seller and examined by the Herald appears to
confirm the claims.


It is unknown if the seller has offered the emails to other businesses
or individuals.

Goff would not be interviewed over the alleged breach.

In a statement, his chief of staff Nirupa George referred to the
Herald revelation as an "alleged hack of his family email account".

"Like thousands of other account holders across the country he assumed
the service provider's email platform was secure. While the
authenticity of the hack has not been verified, the Mayor has
discontinued use of the email account and taken advice from experts.

"This matter is now subject to investigation by the police and other
relevant agencies."

The broad use of a private, unsecured email for sensitive public
service work dogged former United States presidential candidate
Hillary Clinton, sparking investigations there into her handling of
classified and confidential material.

In 2011, Goff weighed into public debate over the use of a private
email account by then-Foreign affairs minister Murray McCully, which
had been hacked. Goff called it a "wake-up call" and was quoted
saying: "Anything (of) an official nature should be going through
protected channels."


Information provided by the would-be seller of Goff's emails appears
to show the mayor used his Xtra email address during the time he was a
government minister, while leader of the Labour Party, as an MP and
since becoming Mayor of Auckland.

When asked how it was obtained, the person responded: "The data was
forwarded to me by a friend."

A person claiming to have 15,000 emails belonging to Auckland mayor
Phil Goff sought $20,000 from the Herald. Photo / File

In email conversations, the person claimed: "I have every sent and
received email from 2007 - Oct 2019 including all attachments.

"Considering the amount of information and the exclusivity of it I
think a fair price would be $20k NZD, but happy to negotiate."

The Herald does not engage in chequebook journalism. Our editorial
today explains the rationale of why referencing the emails is of
strong public interest.

The Herald has told Goff's office it will not buy the database and has
discontinued contact with the person claiming to hold the information.

The person claiming to hold the database sent the Herald examples of
the material and text files containing subject lines of documents
claimed to be in the Inbox and Outbox of Goff's Xtra account.

The subject lines in the material appear to show information from
Goff's time as Minister of Defence in 2007 through to late 2019. It
also shows the database apparently holds personal information,
including medical information, personal finances and photographs.

Among the emails provided were two dealing with campaign financing.
One began with the line: "Team all emails should be on personal
addresses or those that cannot be subject to an official information
request".

Goff appears to have received the email in his Xtra account and sent
it to his executive assistant's email account at Parliament.

The emails provided also included what appeared to be one sent to Goff
as mayor and containing sensitive commercial information about a
council transport contract. A purported attached document included
specific dollar amounts bid for a transport contract.

One of the emails offered included sensitive details about a transport
contract. Photo / Dean Purcell

Such information would appear to be of intense interest to others
looking to bid for council transport contracts, should they be offered
to and received by them.

A police spokeswoman said: "Police can confirm that we have been made
aware of this matter … and initial enquiries are under way to
ascertain what has occurred. We will not be making any further comment
at this stage."

The Herald contacted Spark after it had confirmed the emails on offer
were likely to be genuine.

A spokeswoman for Spark, which provides customers with Xtra email
accounts, said: "In line with our security protocols, when we were
made aware of this issue we contacted the customer and suspended the
account.

"We are investigating the matter; however based on our current
information we believe this is an isolated issue. Security is very
important to us and we regularly provide information to our customers
on how to keep their email accounts secure."

Xtra's email service became exposed during the 2013 hack of Yahoo -
disclosed in 2015 - which saw information on all three billion of its
accounts harvested. At the time, Xtra was using Yahoo as the supplier
of its email service. It dropped the service, citing security issues.

Labour's general secretary Andre Anderson was unsure of the party's
protocols or policies around handling of sensitive information when
contacted by the Herald.

Auckland mayor Phil Goff at his re-election party in October last
year. Photo / Sylvie Whinray

He said political parties with a high volunteer involvement - such as
Labour - couldn't provide broad security measures to all.

A person whose communications were included in the information seen by
the Herald was frustrated to hear the communications to Goff were in
the database.

"It's criminal. The person (who did this) should be held accountable."

Insomnia Security hacking expert Adam Boileau said weaknesses in
security could be created when people used the same or similar
passwords across services.

He said a barrier should exist between private email and systems such
as those Goff used in Parliament then Auckland Council to stop the
transfer of information.

Boileau said data trafficking was a constant activity online, with
large databases being exploited by criminal syndicates seeking out
ways to make money out of the information.