The New Zealand police have admitted that a massive data breach might have involved an online platform set up to “buy back” firearms. Under the scheme, the government offered citizens an opportunity to let the police know they possessed an illegal weapon and turn it in – ostensibly anonymously to the rest of the world – and, in exchange for cash.
This is a step commonly deployed to build safety and trust within a community after a conventional war had ravaged it. In those areas, something of the kind will likely be called a “weapons amnesty program.” People would show up, turn in their weapon – and walk away.
Minus the “buyback” close, of course. And therefore, minus any credit card information.
New Zealand's authorities felt the need to set up something that looked like such a program – in the wake of the mass shooting last March in Christchurch. Was that crisis big enough to warrant a national weapons amnesty drive, complete with personal data being handed over? And was the ensuing campaign small enough for the government not to make sure that – if it was to be conducted online – the harvesting any manner of personal data of those participating in good faith should be properly protected?
In any case – this is how it all went wrong in New Zealand.
The police reportedly set up a webpage allowing citizens to let them know they had prohibited firearm or related items in their possession, and allowing them to hand it over in exchange for money.
But now this “gun buyback database” has been breached.
“Immediately upon being made aware of the issue the platform was closed down and we are investigating the matter further,” a police spokesperson said.
Meanwhile, a spokesperson for New Zealand's Council of Licensed Firearms Owners told the website that data on some 70,000 “firearm hand-in notifications, the firearms and owner bank account numbers, was accessible to web page users.”
“They were able to screenshot and download information. This means that gang members or other criminal elements could have accessed this information before our supporters found the breach,” a spokesperson said.
They added that those affected were now advised to monitor their bank accounts – and let their banks know of any unusual transactions. In addition, and perhaps more worryingly – they are also told to consider “taking extra personal and home security precautions.”
“This is exactly what we feared of an incompetent agency in charge of an online register,” the group said.
Meanwhile, the online platform has been shut down after gun association members reported a vulnerability exposing data of about 37,000 citizens.