Privacy Watch: NZ Govt leaks 83,000 citizens’ data; Microsoft hands over Aussie cloud user data to cops


By Andrew Collins
Tuesday, 02 April, 2013


Privacy Watch: NZ Govt leaks 83,000 citizens’ data; Microsoft hands over Aussie cloud user data to cops

The New Zealand government has accidentally disclosed the details of 83,000 claimants in its Canterbury home repair program, and 2200 names and other information regarding NZ$23 million in cheques, in two separate breaches.

The first breach - of 98,000 claims and 83,000 claimants - included claim numbers and street addresses but did not include customer names, the nation’s Earthquake Commission (EQC) said.

A staff member at the commission inadvertently leaked the information when the auto-complete function of their email program added the address of a third party to an email containing a spreadsheet of the data.

Other people were in the room when it was received, some of whom saw the information.

Initially remaining anonymous, the recipient has come out as Bryan Staples, who previously worked for EQC.

Staples runs Earthquake Services, an insurance advocacy company for those dealing with claims.

The EQC reportedly got Staples to sign a statutory declaration promising that he’d destroy the email. But Staples has since said he was prepared to use the information in a dispute with the commission over payments. The EQC has lodged a complaint with the NZ police regarding Staples’ apparent use of the information.

Since revealing his identity, Staples has been critical of the commission, saying he would put coffins outside of his office in Fitzgerald - three of them black - to symbolise the three Christchurch people he knew who committed suicide after encounters with insurance companies and the EQC.

And in a second breach, 2200 names and information related to stopped cheques worth about NZ$23 million were wrongly emailed to a member of the public.

The recipient of this second email contacted the EQC via its online complaints system but the messaged was not acted upon.

He then contacted a NZ Labour MP, who raised the breach in parliament.

As of the 29th of March, the man said he still had the information and the EQC had not asked him to destroy it.

Following the leaks, the NZ government took down the commission’s website.

A statement on the site now reads: “The Government has requested the Earthquake Commission shut down all its external email systems and Internet while a review of our systems is undertaken.”

Microsoft discloses customer data to police

Microsoft has revealed that it handed over online user account details of about 2600 Australians to law enforcement agencies last year.

The company last week launched its 2012 Law Enforcement Requests Report, offering some details of the user data it hands over to law enforcement around the globe.

The report covers users of Microsoft’s online and cloud services, including Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger and Office 365.

According to Microsoft’s report, law enforcement in Australia made 2238 requests for user data (not including Skype data, which is listed separately in Microsoft’s report). Some of these requests covered more than one account; 3081 accounts were covered in total.

Microsoft handed over user data in 84.9% (1899) of these requests, equal to about 2616 of the 3081 accounts in question. In these cases, “Only subscriber/transactional (non-content)” data was disclosed.

Such disclosed data can include: email address, PUID (a user identifier), first name, last name, state, postcode, country, timezone, IP address from which the user registered the account, date the user registered, gender, age and the last IP the user logged in from.

“We require an official, document-based request, such as a subpoena, before we will consider disclosing non-content data to law enforcement,” Microsoft said.

“We require an order or warrant from law enforcement before we will consider disclosing content to law enforcement.”

Law enforcement made 195 requests for Skype data, totalling 424 accounts all up. Microsoft says it did not disclose “content” in response to these requests, but it did provide “guidance to law enforcement” for eight accounts (1.9%).

Such guidance is defined as “general guidance to a domestic or foreign law enforcement agency, either in response to a rejected request or general questions, about the process for obtaining Skype user data”.

Image credit ©iStockphoto.com/WillSelarep

Related Articles

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

How AI can help businesses manage their cyber risks

Artificial intelligence can be a powerful ally in the fight against cyberthreats.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd