Emails apparently sent and received by Auckland mayor Phil Goff over a 12-year period have been offered with a $20,000 price tag and appear to contain deeply personal information alongside council and Parliamentary work.
Communications sent to the Herald suggest there has been a complete grab of Goff's inbox and sent folders. Among many other topics, they appear to include fundraising plans for Goff's mayoral bid, "confidential" polling data during last year's campaign and sensitive business information.
The seller claims to have more than 15,000 emails from an Xtra account in Goff's name with the database spanning from 2007 to 2019.
Evidence sent by the seller and examined by the Herald appears to confirm the claims.
It is unknown if the seller has offered the emails to other businesses or individuals.
• Editorial: Why we are publishing today's story about Phil Goff's emails
• Phil Goff wins a second term as Auckland Mayor
• Auckland election: What's Phil Goff going to do now?
• Auckland Mayor Phil Goff's victory vow: 'My promise to you'
• Simon Wilson: Phil Goff's new team to lead Auckland Council
Goff would not be interviewed over the alleged breach.
In a statement, his chief of staff Nirupa George referred to the Herald revelation as an "alleged hack of his family email account".
"Like thousands of other account holders across the country he assumed the service provider's email platform was secure. While the authenticity of the hack has not been verified, the Mayor has discontinued use of the email account and taken advice from experts.
"This matter is now subject to investigation by the police and other relevant agencies."
The broad use of a private, unsecured email for sensitive public service work dogged former United States presidential candidate Hillary Clinton, sparking investigations there into her handling of classified and confidential material.
In 2011, Goff weighed into public debate over the use of a private email account by then-Foreign affairs minister Murray McCully, which had been hacked. Goff called it a "wake-up call" and was quoted saying: "Anything (of) an official nature should be going through protected channels."
Information provided by the would-be seller of Goff's emails appears to show the mayor used his Xtra email address during the time he was a government minister, while leader of the Labour Party, as an MP and since becoming Mayor of Auckland.
When asked how it was obtained, the person responded: "The data was forwarded to me by a friend."
In email conversations, the person claimed: "I have every sent and received email from 2007 - Oct 2019 including all attachments.
"Considering the amount of information and the exclusivity of it I think a fair price would be $20k NZD, but happy to negotiate."
The Herald does not engage in chequebook journalism. Our editorial today explains the rationale of why referencing the emails is of strong public interest.
The Herald has told Goff's office it will not buy the database and has discontinued contact with the person claiming to hold the information.
The person claiming to hold the database sent the Herald examples of the material and text files containing subject lines of documents claimed to be in the Inbox and Outbox of Goff's Xtra account.
The subject lines in the material appear to show information from Goff's time as Minister of Defence in 2007 through to late 2019. It also shows the database apparently holds personal information, including medical information, personal finances and photographs.
Among the emails provided were two dealing with campaign financing. One began with the line: "Team all emails should be on personal addresses or those that cannot be subject to an official information request".
Goff appears to have received the email in his Xtra account and sent it to his executive assistant's email account at Parliament.
The emails provided also included what appeared to be one sent to Goff as mayor and containing sensitive commercial information about a council transport contract. A purported attached document included specific dollar amounts bid for a transport contract.
Such information would appear to be of intense interest to others looking to bid for council transport contracts, should they be offered to and received by them.
A police spokeswoman said: "Police can confirm that we have been made aware of this matter … and initial enquiries are under way to ascertain what has occurred. We will not be making any further comment at this stage."
The Herald contacted Spark after it had confirmed the emails on offer were likely to be genuine.
A spokeswoman for Spark, which provides customers with Xtra email accounts, said: "In line with our security protocols, when we were made aware of this issue we contacted the customer and suspended the account.
"We are investigating the matter; however based on our current information we believe this is an isolated issue. Security is very important to us and we regularly provide information to our customers on how to keep their email accounts secure."
Xtra's email service became exposed during the 2013 hack of Yahoo - disclosed in 2015 - which saw information on all three billion of its accounts harvested. At the time, Xtra was using Yahoo as the supplier of its email service. It dropped the service, citing security issues.
Labour's general secretary Andre Anderson was unsure of the party's protocols or policies around handling of sensitive information when contacted by the Herald.
He said political parties with a high volunteer involvement - such as Labour - couldn't provide broad security measures to all.
A person whose communications were included in the information seen by the Herald was frustrated to hear the communications to Goff were in the database.
"It's criminal. The person (who did this) should be held accountable."
Insomnia Security hacking expert Adam Boileau said weaknesses in security could be created when people used the same or similar passwords across services.
He said a barrier should exist between private email and systems such as those Goff used in Parliament then Auckland Council to stop the transfer of information.
Boileau said data trafficking was a constant activity online, with large databases being exploited by criminal syndicates seeking out ways to make money out of the information.