Sorry, Not Sorry – Government Downplays Security Breach of “Buyback” Database

New Zealand’s dumpster fire of a government-mandated “buyback” program has become even more of a hot spot of contention. Sources indicate that the sensitive personal information of gun owners kept in a police database became accessible to users of the buyback program website. The information includes names, addresses, firearm license numbers, and bank account details.

The database was established shortly after the government announced a ban on certain semiautomatic firearms and accessories, along with a mandatory “buyback,” early this year. Under New Zealand’s new firearm law, the Arms (Prohibited Firearms, Magazines, and Parts) Amendment Regulations 2019, the possession of “prohibited firearms, magazines and parts” is now a crime, although affected owners have until December 20 in which to surrender their property to the police. Police obtain firearm license, bank account, and other personal information from owners as part of the buyback process.

The country’s Prime Minister, Jacinda Ardern, confirmed that gun dealers were given access to the police buyback database. “[N]ot everyone would wish to return their weapons directly through police stations so dealers were created as agent authorities that could be part of the buyback process. As part of that they were able to access [the database].”

The buyback database is administered by an external provider, the German software company SAP. The breach was unrelated to hacking; instead, SAP admitted it made changes so that the site’s security profile “was incorrectly provisioned” and allowed access. Police Minister Stuart Nash indicated that these changes had not been authorized by the New Zealand Police.  

The government and police were reportedly not aware of the security issues with the site until a gun rights group, the Council of Licensed Firearm Owners (COLFO) raised the alarm in a December 1st public notice. Minutes later, the entire site was shut down. 

Police Deputy Commissioner Mike Clement subsequently advised that the data may have been exposed since November 27, and was unable to give “ironclad” assurances that the data had not been more widely disseminated. COLFO, however, released redacted screenshots of the website and advised that information had been downloaded before the site was disabled.

Going forward, the site will remain offline and the buyback will be implemented using pen and paper. The data breach is just the most recent of the problems surrounding the buyback program.

Pranksters were able to use online notification forms associated with the buyback to send police fake notices regarding firearms that would be turned in, causing “a huge waste” of police resources. Criminals, predictably, are refusing to turn in their weapons. Police met with gang leaders as part of a compliance effort for the gun ban and buyback program, but reported that the criminal fraternity (oddly enough) “had a different approach to law abiding members of the public, in relation to the return of guns.”            

When called upon to account for the damaging data breach, Police Minister Nash said he was “bloody annoyed” about it but flatly refused to be held accountable, suggesting that data breaches are to be expected in government operations (“400 data leaks occurred” with the previous administration) and that “it’s not my responsibility” to oversee a contractor delivering a government service. Asked to at least concede that the data leak had eroded whatever support the country’s gun owners had for the buyback program, Nash instead called out the gun rights community as the real problem: a “small group of radical gun nuts … called COLFO who are against this. They have always been against it. This is how the gun lobby works here and overseas.” Elsewhere, the police minister emphasized that the police were “doing a fantastic job on monitoring this buyback” program, and that the program “was going incredibly well.”   

Kiwi gun owners likely have different feelings about the program’s success (and the release of their personal data) than these dismissive and sunny pronouncements.

If nothing else, the data breach – and the government’s nonchalant reaction – give ample cause for concern regarding the next phase of New Zealand’s gun control law. The new firearm registry will be another such repository of sensitive personal information in the hands of the government, to monitor every legal firearm in New Zealand by collecting both personal information (the licensee’s name, address, date of birth) and the particulars of the firearm (identifying information and all transfers, sales and purchases).