Another major information leak

Another hit for Christchurch

People have been trying to get access to this information for a long time – now all the details have been leaked to the public.

EQC leak much larger than realised

The Earthquake Commission has revealed that the privacy breach last week was more than eight times larger than originally announced - affecting every claimant in the Canterbury home repair programme.

The Christchurch Press,

25 March, 2013

This afternoon, EQC chief executive Ian Simpson said the data in the spreadsheet, emailed to a third party outside the organisation, could be manipulated to reveal the details of 98,000 claims from all 83,000 claimants.

Originally, information from only 9700 people was said to be at risk in the breach, which happened on Friday morning.

Simpson said when the breach was announced to the media last week, it was not apparent the information on the other 73,000 claimants could be accessed using the spreadsheet's pivot table tool.

The spreadsheet contained claim numbers and home addresses, but not names of those in the programme for homes requiring repairs costing between $15,000 and $100,000, he said.

Are you affected by this breach? Email reporters@press.co.nz

The scale of the breach meant EQC would not be contacting each claimant to inform them, but would be taking out advertisements in the Christchurch newspapers.

Simpson said the outside party had since destroyed the email, though four other people had been in the room when it was received.

The breach occurred when a staff member sent out an email intended for EQC staff, and the auto-complete function in the email program accidentally filled in the address of a third party, an EQC contractor.

An independent review of the breach would be commissioned.

In addition, security processes for encrypting and accessing sensitive data, as well as the rules for using email to send sensitive documents, would be reviewed, he said.

He apologised for the breach, saying the matter was "embarrassing and disappointing".

Simpson would not name the recipient of the email, but said the person had "acted in good faith".

Privacy breach 'ironic'

Christchurch Mayor Bob Parker said the situation was ''rather ironic''.

''People would love to what the contents of their EQC files, in many cases they can't get to them, but meanwhile one person has received information relating to thousands and thousands of claims.''

Parker said leaks like this ''just could not afford to happen'' and said technological systems nationwide needed to be improved.

''This will just put our community under further pressure and will create more uncertainty,'' Parker said.

Christchurch City councillor Glenn Livingstone said somebody should "take the fall" for the breach.

''Whether that's the minister or the CEO [of EQC] ... but it is a CEO's job to keep the minister informed and by the sounds of it, that hasn't happened.''

He said the scandal would ''confirm people's low confidence levels in EQC''.

Dalziel and Brownlee exchange words

Labour's earthquake recovery spokeswoman Lianne Dalziel said the breach was of a scale "unprecedented in New Zealand'' and called on Earthquake Minister Gerry Brownlee to take full responsibility.

"EQC has tried to deny that the figure is seven times worse than admitted. The truth is no one at EQC or the minister's office checked the email thoroughly enough to realise the data was sitting behind the figures on a different sheet than the one they relied on for the 9700 figure.

"That is gross incompetence and a political scandal," said Dalziel.

"I also know that people other than the mistaken recipient saw this information before they alerted him that the email had been sent to him in error and he agreed to delete the information. One of those people contacted me over the weekend."

Dalziel said it was "time for the Minister to take full ministerial responsibility".

She called on Brownlee to explain when he first knew of the extent of the breach and to disclose the extent of the details attached to each of the leaked home addresses.

"He must also undertake to ensure that EQC will provide each person affected with a simple status report on their claim so they know where they stand."

Meanwhile, Brownlee said he was very disappointed to learn at "2:21pm today" that the EQC privacy breach contained information relating to more claimants than EQC first thought.

He said he took ''great issue'' with Dalziel's claim that he should have checked the email and spreadsheet to ''identify that hidden data was embedded within the material''.

''Information held by EQC does not routinely make its way to the Minister's office,'' he said.

Brownlee said EQC had improved its procedures for ''encrypting and surely accessing sensitive data'' and an independent review would also take place.

He had advised EQC to take ''whatever legal action they deem appropriate'' to ensure the information had not been copied or distributed.

UPDATE:

EQC boss offered to step down after breach

Radio NZ,

26 March, 2013

Earthquake Commission chief executive Ian Simpson offered his resignation to Earthquake Recovery Minister Gerry Brownlee during a meeting on a privacy breach.

The EQC has had to apologise twice for accidentally emailing information about 83,000 Canterbury earthquake claimants to someone outside the organisation.

Mr Simpson said the minister told him at a Beehive meeting on Tuesday that he should focus on the job at hand and make sure any problems or errors are not repeated.

The chief executive said they discussed further steps the commission could take to avoid a repetition of the breach, and a technical review will cover how the original error occurred and what measures can be taken to prevent a recurrence.

Mr Brownlee told reporters he had confidence in Mr Simpson. "He understood that it had caused embarrassment to the Government and said that if he was a casualty of that, he certainly understood that. I said, look, we've got a problem that we've got to get over."

Labour Party leader David Shearer says the Government is treating the issue too lightly. "There needs to be a process in place by which this cannot happen and the Government has not put out any sort of safeguards to enable that process to occur."

An Excel spreadsheet containing claim details of clients in EQC's Canterbury Home Repair programme accidentally sent by a staff member to the wrong email address contained information regarding building quotes, estimated settlement costs and details of cash settlements.

Earlier on Tuesday Mr Simpson told Radio New Zealand's Morning Report programme that corrections had been made to email systems to make sure this would not happen again. Changes included not sending out spreadsheets as email attachments.

Files contained 'many details'

The information was mistakenly sent to Bryan Staples, chief executive of insurance advocacy company Earthquake Services, last week.

Mr Staples said the attachment was full of details Cantabrians have been asking the EQC to provide for over two years, including estimated settlement costs and the number of cash settlements the commission is expecting to make.

"I saw that over 60,000 of those claims were categorised under $50,000. This is absolutely outrageous - it's political. EQC fixing Christchurch is all about the next election. They're going to try and cash settle claims for under $50,000. They need to come clean."

The attachment contained EQC estimates of repair costs but Mr Brownlee said that cannot be given to claimants themselves because it is commercially sensitive.

"Obviously we want tradespeople who are doing that work to compete for the work," he said. "If you say right up front what you expect to pay you'll end up paying more, and that would come out of the pockets of taxpayers."

Mr Staples has deleted the email and and promised the information would not be distributed any further.

He said the EQC staff member who sent the file was someone he is in regular contact with and he told her about it within half an hour of receiving the email.

Mr Staples is adamant it was not him who passed information to Ms Dalziel and said he was disgusted politicians had turned turned a simple human error into a political football.