German software giant SAP has issued a public apology after a database the company supplied to New Zealand Police gave 66 firearms dealers unhindered access to names, addresses, contact numbers, and bank account details of thousands of firearms owners in the country.
Earlier this year, New Zealand Police introduced a firearms buy-back programme with the aim of collecting thousands of semi-automatic firearms and assault rifles from firearms owners across the country.
The buy-back programme was introduced in the aftermath of mass shooting incidents in Christchurch that took place in March this year and resulted in the death of as many as 49 people and serious injuries to twenty more people.
Recently, New Zealand Police announced that since the announcement of the scheme, 15,187 firearms owners from across the country handed in a total of 24,073 firearms and 88,765 parts and accessories and received up to $45.4 million in compensation. The scheme is set to expire on 20 December this year.
Database update gave dealers access to personal & financial details of firearms owners
In order to run its firearms buy-back programme, New Zealand Police used an online notification platform supplied by German software company SAP where firearms dealers could view and update certain details as per the requirements of the programme.
Recently, SAP introduced an update to the online notification platform that gave up to 66 firearms dealers access to names, detailed contact information, and bank account details of firearms owners from all over the country. New Zealand Police said that the update was not authorised by it and exposed personal data of dozens of firearms owners.
"We can confirm that a dealer with legitimate access to the online notification platform for the firearm buy-back programme has been able to view details of firearms owners. We were notified of the error this morning when the dealer contacted us.
"Upon being notified all efforts were made to immediately shut down access to the platform. We have been able to identify the error back to an update made by our vendor last week which provided dealers a higher level of access to the notifications database. The update was not authorised by Police," the police said in a statement posted on its website.
"Our investigations have shown only one dealer login has accessed the system since the update. We believe this was an isolated incident and made possible due to human error. The vendor for the online notification platform is Germany-based global software company SAP.
"The firearms buy-back programme is continuing and we will be using a manual process to manage the return of prohibited firearms. The online notification platform will remain offline until we can be reassured by our vendor that the platform is secure," it added.
SAP issues an apology to New Zealand, saying human error caused the breach
In a fresh update to the data security incident, New Zealand Police said that names, addresses, contact numbers, firearms licence numbers, and bank account details of 35 firearms owners were accessed by a solitary dealer who did not use or share the information in any manner.
The dealer also accessed names and addresses of up to five hundred firearms owners and they are presently being informed about the privacy breach by New Zealand Police.
After news about the exposure of personal information of firearms owners became public, software giant SAP issued an apology to New Zealand Police and the country's citizens, stating that the data exposure occurred due to human error.
"SAP can confirm it was notified of a security breach to the New Zealand Police gun buy back system this morning. The security breach indicated that a single dealer user had accessed information not intended to its user profile. As soon as the full details of this incident were understood, all user profiles on the system, except for SAP consultants investigating, were locked, and remain so.
"As part of new features intended for the platform, security profiles were to be updated to allow certain users to be able to create citizens records. A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP.
"We unreservedly apologise to New Zealand Police and the citizens of New Zealand for this error. The security of our customers and their data is of absolute priority to us. A full internal investigation is already underway within SAP," the company said.