Governance & Risk Management , IT Risk Management , Privacy

SAP Software Update Exposed New Zealand Firearms Register

SAP Apologizes and Blames 'Human Error'
SAP Software Update Exposed New Zealand Firearms Register
New Zealand Police explain new shotgun rules to comply with the country's stricter gun laws enacted in April. (Source: New Zealand Police)

German software giant SAP has apologized after a software update mistakenly assigned higher-level privileges to some users within New Zealand’s firearms buy-back notification database, exposing personal details for gun owners.

See Also: How Enterprise Browsers Enhance Security and Efficiency

New Zealand Police say the database “will remain offline until we can be reassured by our vendor that the platform is secure.” The update wasn’t authorized, police say.

The database enables gun owners to notify police of firearms they own and register for compensation under a buy-back program.

New Zealand Police said in an update on Monday afternoon that full details for 35 people were accessed without authorization. The data accessed includes names, addresses, phone numbers, firearms license numbers and bank account details. Another group of people, numbering less than 500, saw their names and addresses accessed, police say.

Police disputed a claim by Council of Licensed Firearms Owner that 19 unauthorirized individuals had accessed data. Only one gun dealer accessed data without authorization, and that person contacted police, they say.

“We have requested this information from COLFO leaders to enable us to establish the facts,” according to Deputy Commissioner Mike Clement. “Nothing has been provided to date, but police continues to liaise with COLFO.”

COLFO’s law firm, Franks Ogilvie, published a statement on Monday confirming that it was investigating claims that the notification system may have been available after police said it was shut down.

The buy-back program was part of an overhaul of the New Zealand’s firearms laws following shootings at two mosques in Christchurch on March 15, resulting in 51 deaths.

The next month, with the backing of Prime Minister Jacinda Ardern, New Zealand’s Parliament passed laws banning most so-called centerfire semi-automatic guns, certain types of rifles and some pump-action shotguns, amongst other weapons. Those possessing now-banned weapons could be eligible for compensation from the government for turning them over.

One component of the buy-back program was a website where gun owners could notify police of the firearms they hold. Gun owners could also supply their bank account details if they believed they may be eligible for payment. Along with SAP, Microsoft is one of the police’s technology partners for the effort.

Wrong Security Profiles

SAP says in a joint statement with police that the error involved security profiles that would have allowed some users “to create citizen records.” But the profile was assigned to 66 gun dealers due to human error.

Those errors resulted in one gun dealer accessing prohibited data, who contacted authorities, police say. “We are engaging with the person who has accessed the information to ensure no further information is shared," it says.

A redacted screenshot of the exposed database published by the Council of Licensed Firearms Owners (Source: COLFO)

SAP says it locked all user profiles on the system except for its consultants who were investigating.

“We unreservedly apologize to New Zealand Police and the citizens of New Zealand for this error,” the company says. “The security of our customers and their data is of absolute priority to us. A full internal investigation is already underway within SAP.”

New Zealand police say the buy-back program will continue but using manual processes.

The country’s Privacy Commissioner says police will contact those affected by the breach and that it is “currently working with NZ Police to ensure they are taking steps to protect the personal information they hold.”

Exposure Created ‘Shopping List’

New Zealand’s quick legislative action after its worst mass shooting was endorsed by most, although there was some mild opposition. The database snafu was seized upon by the COLFO, which has contended the new laws were rushed.

“This is a shocking development,” says COLFO spokesperson Nicole McKee. “Full details of prohibited firearms, and addresses at which they could be found, have been available online to the public.”

The incident shows why a police firearm register can’t be trusted, McKee says.. She told The Guardian that the exposure created a “shopping list for criminals.”

COLFO alleges that the database error shows that 37,125 gun owners have registered 280,000 now-prohibited weapons. As of Nov. 24, New Zealand Police say they’ve collected more than 40,000 firearms and nearly 150,000 gun components, paying out more than $75 million. The buy-back period ends Dec. 20.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.