Police have confirmed a dealer with legitimate access to the online notification platform for the gun buyback programme was able to see all owners' details.

Police Deputy Commissioner Mike Clement said they were notified this morning by the dealer.

An update to the database - not authorised by police - had given dealers a higher level of access last week thanks to "human error", police said.

Only one dealer appeared to have used that access.


The vendor for the online notification platform was SAP, a German-based global software company.

An SAP spokesman said, "A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP.

"We unreservedly apologise to New Zealand Police and the citizens of New Zealand for this error.

"A full internal investigation is already underway within SAP."

Gun buybacks are continuing using a manual process while the platform is offline. It will remain offline until SAP can ensure police the system is secure.

The Office of the Privacy Commissioner has been advised, and police are working to notify people whose privacy has been breached.

The vendor's software has an audit log which will show - in time - how many people's information had been accessed.

There have been reports that other people had seen and were sharing the information.


Clement said if that was true police would find out as the investigation continued and be in touch with those people to ensure the information was secure and had not been shared.

Anyone who was circulating the private information of people in the system would be committing an offence, he said.

There was no hack involved in the information being made available, Clement said.
He was confident no-one in the NZ Police was at fault.

Based on the information he had, firearm holders did not need to take any special measures to ensure they were safe, Clement said.

If that changed those people would quickly be contacted, he said.

Clement said he was confident firearms owners remained confident with police processes, though they would be "disappointed" as he was in what had happened today.

A spokesperson said earlier today police had been made aware today of a "potential issue" by a member of the public.

"Immediately upon being made aware of the issue the platform was closed down and we are investigating the matter further," said the spokesperson.

"We have advised the office of the Privacy Commissioner of the potential issue.

"No further information is available at this time."

The Council of Licenced Firearms Owners issued a statement on the matter.

"COLFO has learned within the past hour of a massive data breach on the police database for firearm hand-in and compensation," said spokeswoman Nicole McKee.

"Information on 70,000 firearm hand-in notifications, the firearms and owner bank account numbers, were accessible to web page users."

"COLFO has sent an urgent email to all members alerting them to the breach."

McKee said the organisation "demands that the web page and whole hand-in application programme is suspended immediately".

"The incident shows precisely why a police firearms register cannot be trusted."

McKee later claimed that the breach had revealed 37,125 owners have registered 280,000 individual newly prohibited items.

"Full contact details, firearm licence number and bank address details were revealed," she said.

"his has been captured on screen-grabs by users, and a full set of the data was downloaded."

McKee said the notification system waws an online web page where any member of the public can notify the police that they have one of the newly prohibited firearms or related items.

"Notification is a three-step process requiring name and contact details, then the firearms and parts to be registered, then their licence number and bank account (for compensation payments)," she said.

"It is unclear how long the information was publicly available before it was seen this morning, and people were able to log into the system for up to three hours before the police finally shut it down.

"The data breach is a huge blow to the whole hand-in programme, and to police claims that firearm owner data would be safe under the Government's planned registry."

McKee said the breach was a "shocking development".

"Full details of prohibited firearms, and addresses at which they could be found, have been available online to the public," she said.

"This makes an absolute mockery of police claims to the Select Committee that they could be trusted to keep a firearm registry secure.

"We call on the full hand-in programme to be suspended in the meantime, and the Privacy Commissioner to investigate."

National and Act have seized upon the apparent data breach to say the proposed forearms register of lawful firearms can't be trusted.

Act leader David Seymour has also called on the resignation of Police Minister Stuart Nash.

Seymour said the information on the database – names, addresses, dates of birth, types of firearms, cellphones and bank account numbers – were available for a number of hours today and could have been downloaded.

"The safety of law-abiding firearms owners has been endangered by this data breach and the Police Minister must resign" said Seymour who was the only MP to oppose the buy-back of military-style semi-automatics in the wake of the March 15 mosques massacre in Christchurch.

"This kind of incident is exactly why a firearms register is a terrible idea and why Act opposed it from the start."

National has opposed the second tranche of firearms law reform, which sets up a firearms licence register.

National's police spokesman, Brett Hudson, said New Zealanders would be worried about where their sensitive information was and who had it.

"Kiwis should be able to have confidence in the agencies holding their personal data.

"How can New Zealanders have confidence in the firearms register the Government is proposing when they can't even protect their personal details in their buy-back scheme?"

He said it was not the first time there had been data breaches under the current Government.

There had been one at the Ministry of Culture and Heritage in which information on young people had been accessed; staff at the New Zealand Transport Agency had been at risk of personal identity theft after a USB drive containing staff identity cards had been lost; private details had been stolen from the Commerce Commission; and even Treasury's website with Budget information had been able to be accessed before the Budget.