New Zealand’s gun buyback scheme impacted by data breach, SAP to blame

SAP has been left red-faced for allowing the security lapse to occur.
Written by Charlie Osborne, Contributing Writer

New Zealand's firearms buyback scheme has been central to a data breach caused by human error at SAP. 

The buyback scheme, which ends on December 20, allows gun holders to trade in full weapons, as well as parts, accessories, and magazines. 

Both an amnesty -- allowing illegal weapons or those owned without a license to be turned in without fear of prosecution -- and a buyback scheme for licensees were launched after New Zealand suffered mass shootings at Christchurch mosques.

Local MPs also voted 119-to-1 to enact gun reform and to ban most semi-automatic firearms and some pump-action shotguns.

Once the amnesty and buyback schemes end, owners may be prosecuted for owning guns now illegal in the country.

On Monday, New Zealand's Deputy Commissioner Mike Clement said that a website used by firearms owners to register and relinquish their weapons was subject to a security lapse, in which an arms dealer notified the police that they were able to access other account information without permission. 

CNET: TikTok accused of secretly gathering user data and sending it to China

Names, addresses, dates of birth, firearms license numbers and bank account details were accessible, as reported by The Guardian, in what Nicole McKee, from the Council of Licensed Firearms Owners called a "shopping list for criminals."

Once made aware of the incident, Clement says that the platform was immediately shut down and will not be used again until law enforcement is sure it is safe to do so. If security issues remain, criminals may be able to gain access to lists of weapons and parts -- as well as their locations -- ahead of the amnesty and buyback system's closure, potentially resulting in theft or owners being put at risk. 

Until the issue is resolved, law enforcement will be relying on manual registration methods.

"We have been able to identify the error back to an update made by our vendor last week which provided dealers a higher level of access to the notifications database," Clement said. "The update was not authorized by police [...] We take the privacy of the public information we hold seriously and we will undertake our own additional checks to ensure the system is secure before the online notification platform is reestablished."

See also: This is the impact of a data breach on enterprise share prices

The deputy commissioner named German tech giant SAP as the provider of the platform. A SAP spokesperson said "human error" at the company was at fault. 

Security profiles can be created on the platform to give authorized users the power to create citizen records. However, a security profile was incorrectly assigned to 68 dealers who have been authorized to act as middlemen for individuals that do not want to attend police events. 

It has been claimed that only one dealer, the individual who made the police aware of the problem, was able to access sensitive information after this update was applied. 

SAP has "unreservedly apologized" to New Zealand Police and the country's citizens and has promised that an internal investigation is underway. 

TechRepublic: Report highlights nation-state cyberthreats facing SMBs in 2020

"We continue to work with and offer our full resources to New Zealand Police to ensure the system is fully secure and up and running again as soon as possible," the spokesperson added. 

Prime Minister Jacinda Ardern told Morning Report that the issue was caused by "one private provider who with one person had a human error that caused one other person to access information they shouldn't have," and "I think we should keep this in perspective, this should not undermine reforms that will protect New Zealanders."

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards