Privacy Watch: NZ Govt leaks 83,000 citizens’ data; Microsoft hands over Aussie cloud user data to cops


By Andrew Collins
Tuesday, 02 April, 2013

Privacy Watch: NZ Govt leaks 83,000 citizens’ data; Microsoft hands over Aussie cloud user data to cops

The New Zealand government has accidentally disclosed the details of 83,000 claimants in its Canterbury home repair program, and 2200 names and other information regarding NZ$23 million in cheques, in two separate breaches.

The first breach - of 98,000 claims and 83,000 claimants - included claim numbers and street addresses but did not include customer names, the nation’s Earthquake Commission (EQC) said.

A staff member at the commission inadvertently leaked the information when the auto-complete function of their email program added the address of a third party to an email containing a spreadsheet of the data.

Other people were in the room when it was received, some of whom saw the information.

Initially remaining anonymous, the recipient has come out as Bryan Staples, who previously worked for EQC.

Staples runs Earthquake Services, an insurance advocacy company for those dealing with claims.

The EQC reportedly got Staples to sign a statutory declaration promising that he’d destroy the email. But Staples has since said he was prepared to use the information in a dispute with the commission over payments. The EQC has lodged a complaint with the NZ police regarding Staples’ apparent use of the information.

Since revealing his identity, Staples has been critical of the commission, saying he would put coffins outside of his office in Fitzgerald - three of them black - to symbolise the three Christchurch people he knew who committed suicide after encounters with insurance companies and the EQC.

And in a second breach, 2200 names and information related to stopped cheques worth about NZ$23 million were wrongly emailed to a member of the public.

The recipient of this second email contacted the EQC via its online complaints system but the messaged was not acted upon.

He then contacted a NZ Labour MP, who raised the breach in parliament.

As of the 29th of March, the man said he still had the information and the EQC had not asked him to destroy it.

Following the leaks, the NZ government took down the commission’s website.

A statement on the site now reads: “The Government has requested the Earthquake Commission shut down all its external email systems and Internet while a review of our systems is undertaken.”

Microsoft discloses customer data to police

Microsoft has revealed that it handed over online user account details of about 2600 Australians to law enforcement agencies last year.

The company last week launched its 2012 Law Enforcement Requests Report, offering some details of the user data it hands over to law enforcement around the globe.

The report covers users of Microsoft’s online and cloud services, including Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger and Office 365.

According to Microsoft’s report, law enforcement in Australia made 2238 requests for user data (not including Skype data, which is listed separately in Microsoft’s report). Some of these requests covered more than one account; 3081 accounts were covered in total.

Microsoft handed over user data in 84.9% (1899) of these requests, equal to about 2616 of the 3081 accounts in question. In these cases, “Only subscriber/transactional (non-content)” data was disclosed.

Such disclosed data can include: email address, PUID (a user identifier), first name, last name, state, postcode, country, timezone, IP address from which the user registered the account, date the user registered, gender, age and the last IP the user logged in from.

“We require an official, document-based request, such as a subpoena, before we will consider disclosing non-content data to law enforcement,” Microsoft said.

“We require an order or warrant from law enforcement before we will consider disclosing content to law enforcement.”

Law enforcement made 195 requests for Skype data, totalling 424 accounts all up. Microsoft says it did not disclose “content” in response to these requests, but it did provide “guidance to law enforcement” for eight accounts (1.9%).

Such guidance is defined as “general guidance to a domestic or foreign law enforcement agency, either in response to a rejected request or general questions, about the process for obtaining Skype user data”.

Image credit ©iStockphoto.com/WillSelarep

Related Articles

Emergency onboarding: what to do before and after a data breach

Organisations that have an emergency onboarding plan are better positioned to have their business...

Savvy directors are demanding more points of proof when cyber incidents occur

Pre-agreement on what a post-incident forensics effort should produce — and testing it out...

Cyber-attack prevention is better than a cure

Corporate and political decision-makers need to invest in areas that do a better job of...

Content from other channels on our network

Retailers caught selling unapproved electrical appliances

Ampcontrol and Siemens partner on renewable energy solutions

SA announces smart residential energy trial

Western Power welcomes new apprentices

Avoiding another Black Summer

Comms Connect New Zealand returning to Christchurch

Govt audits national mobile coverage as Telstra extends 3G closure

The critical drive for technological innovation in emergency services

Command & Control Communications at the Heart of Utilities Worldwide

ARCIA's Sydney conference and networking dinner returns

F5 reaches Australian public sector milestone

RingCentral launches AI contact centre solution in Aust

Western Sydney councils' transport plan endorsed

Australian researchers launch global misinformation database

Broadcom revamps and simplifies VMware portfolio

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd