by Cam Slater on theBFD

As predicted by many, the Police’s new profit-based Firearms Safety Authority has suffered a major privacy and security breach. The only thing no-one expected was that it occurred less than one month after the registers went live. So much for the much-vaunted “bank level security”:

The newly created Firearms Safety Authority has found themselves in the gun after another inadvertent leak of the details of Auckland firearms owners.

In an e-mail sent shortly after noon on Wednesday, seen by the Herald, Auckland Central Police District firearms staff emailed more than 100 gun owners to warn them their listed firearms licence address may not be up to date.

Their e-mail addresses, in many cases including their first and last names, were visible in the cc field, rather than hidden in the bcc section.

The visible addresses included various prominent Auckland residents, including lawyers, company directors, police officers and government officials.

The e-mail was sent from the Auckland City Police District’s firearms email address and signed NZ police, but also carried the signature and logo of the new Firearms Safety Authority, set up to administer the newly launched gun register.Asked whether it was police or the Firearms Safety Authority who sent the email, a police spokeswoman said it was the authority.

The sender attempted to recall the e-mail shortly after it was sent, and also sent a second email asking recipients to delete the message due to an “error in sending”.

In a statement, Superintendent Richard Wilson, Te Tari Pureke Firearms Safety Authority director of operations, confirmed it had sent the email to 147 recipients revealing the email address of the recipients to fellow licence holders.

“This incident is being treated seriously by Te Tari Pureke, who have lodged this as a privacy breach and will be notifying the Office of the Privacy Commissioner,” Wilson said.Wilson said it was not sent to any members of the wider public.

“A rapid review has determined that the privacy breach came about from human error when the email addresses were incorrectly pasted into the ‘cc’ (carbon copy) address field, rather than the ‘bcc’ (blind carbon copy) address field.” –NZ Herald

This is real amateur hour stuff and shows that Police and the newly minted Firearm Safety Authority have neither the required skills and discipline nor the information security ability to be in charge of anything more than the books at the local tiddlywinks club, much less looking after information security of the new gun register.

This is the second time the Auckland office has had a massive data breach and it appears Police have learned nothing from the last debacle.

It is real Keystone cops stuff: ‘Ummm, can we “unsend the e-mail?”, anyone…anyone?’. It would be funny if it weren’t just so damn dangerous.

The spokesperson blithely says the email “was not sent to any members of the wider public”, but cannot possibly know that to be the case, especially when it has traversed multiple e-mail servers, multiple routers and been viewed by God knows how many people. The recipients, or a recipient could have forwarded it. There is simply no way of knowing just how far that email spread.

But the Police will just dig in and pretend it isn’t that bad and carry on building the gangs’ shopping list in the gun register.

Police loftily exclaimed that they’d been gifted the Maori name for the Authority and it is emblazoned everywhere, but perhaps it might have been better to spend the koha that facilitated the “gift” on a basic remedial e-mail and information security course for their incompetent staff.

As a footnote, this Radio NZ article states that Jacinda’s gun grab during the 2021 financial year cost more to run than was paid to gun-owners forced to surrender what they owned. “Just over $2.4m was paid out to gun owners who handed in their firearms as part of the buyback, while the total cost of the scheme was $6.2m.”