Friday, July 28, 2023

Cam Slater: We Warned Them, but They Didn’t Listen

As predicted by many, the Police’s new profit-based Firearms Safety Authority has suffered a major privacy and security breach. The only thing no one expected was that it occurred less than one month after the registers went live. So much for the much-vaunted “bank level security”:

The newly created Firearms Safety Authority has found themselves in the gun after another inadvertent leak of the details of Auckland firearms owners.

In an email sent shortly after noon on Wednesday, seen by the Herald, Auckland Central Police District firearms staff emailed more than 100 gun owners to warn them their listed firearms licence address may not be up to date.

Their email addresses, in many cases including their first and last names, were visible in the cc field, rather than hidden in the bcc section.

The visible addresses included various prominent Auckland residents, including lawyers, company directors, police officers and government officials.

The email was sent from the Auckland City Police District’s firearms email address and signed NZ police, but also carried the signature and logo of the new Firearms Safety Authority, set up to administer the newly launched gun register.

Asked whether it was police or the Firearms Safety Authority who sent the email, a police spokeswoman said it was the authority.

The sender attempted to recall the email shortly after it was sent, and also sent a second email asking recipients to delete the message due to an “error in sending”.

In a statement, Superintendent Richard Wilson, Te Tari Pureke Firearms Safety Authority director of operations, confirmed it had sent the email to 147 recipients revealing the email address of the recipients to fellow licence holders.

“This incident is being treated seriously by Te Tari Pureke, who have lodged this as a privacy breach and will be notifying the Office of the Privacy Commissioner,” Wilson said.

Wilson said it was not sent to any members of the wider public.

“A rapid review has determined that the privacy breach came about from human error when the email addresses were incorrectly pasted into the ‘cc’ (carbon copy) address field, rather than the ‘bcc’ (blind carbon copy) address field.”
NZ Herald

This is real amateur hour stuff and shows that Police and the newly minted Firearm Safety Authority have neither the required skills and discipline nor the information security ability to be in charge of anything more than the books at the local tiddlywinks club, much less looking after information security of the new gun register.

This is the second time the Auckland office has had a massive data breach and it appears Police have learned nothing from the last debacle.

It is real Keystone cops stuff: ‘Ummm, can we “unsend the email?”, anyone…anyone?’. It would be funny if it weren’t just so damn dangerous.

The spokesperson blithely says the email “was not sent to any members of the wider public”, but cannot possibly know that to be the case, especially when it has traversed multiple email servers, multiple routers and been viewed by God knows how many people. The recipients, or a recipient could have forwarded it. There is simply no way of knowing just how far that email spread.

But the Police will just dig in and pretend it isn’t that bad and carry on building the gangs’ shopping list in the gun register.

Police loftily exclaimed that they’d been gifted the Maori name for the Authority and it is emblazoned everywhere, but perhaps it might have been better to spend the koha that facilitated the “gift” on a basic remedial email and information security course for their incompetent staff.

As a licenced firearms owner, I am incensed by this breach, and it shows that yet again the Police are not fit and proper to manage such an important task.

I am now very, very reluctant to enter a single item in the register. I certainly have zero confidence that my information will ever be kept secure by the same Police organisation whose members routinely and illegally go trolling through my NIA file as Privacy Act requests have proven.

I even suffered through an extended presentation by Mike McIlraith at a recent Antique Arms meeting where he was at pains to tell the concerned members that the gun register and the new systems had “bank level security” and that all our details would be safe and secure. It was bullshit when he said it and it is bullshit now.

The man is an out-of-touch fool. He was warned numerous times about just such an event, yet bullied and cajoled and blustered his way forward, proving without a shadow of doubt that he is a living embodiment of the Peter Principle, which “observes that people in a hierarchy tend to rise to ‘a level of respective incompetence’: employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another”.

Sitting behind the wire in Afghanistan, in the rear with the gear, in no way qualifies one to run complex IT systems.

The register is now fatally compromised, and trust in Police and the Firearms Safety Authority sinks even lower, mainly as a result of the hubris of Police in general and Mike McIlraith in particular.

Time for some responsibility and accountability as well as for heads to roll.

What is especially ironic is that one Antique Arms member specifically asked Mike McIlraith, in person and in front of me, if Mike McIlraith or anyone else would ever be held accountable or put their job on the line if there ever was the inevitable data breach and failure of systems and procedures. Mike McIlraith arrogantly told both of us that such a thing would never occur.

And yet here we are.

But here’s the interesting thing: how come the HR-skilled, Angela Brazier, who bizarrely was appointed Chief Executive of the Firearm Safety Authority, seems to only show up for positive PR photo ops but is suspiciously silent and absent when the proverbial hits the fan?

Cam Slater is a New Zealand-based blogger, best known for his role in Dirty Politics and publishing the Whale Oil Beef Hooked blog, which operated from 2005 until it closed in 2019. This article was first published HERE

1 comment:

Anonymous said...

Arrogant bureaucracy, arrogant politicians, arrogant ideology, doesn't say much for democracy does it?