Home page logo

dataloss logo Data Loss mailing list archives

EQC privacy breach: 9700 affected
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Fri, 22 Mar 2013 09:55:17 -0400


The Earthquake Commission has apologised to nearly 10,000 claimants in
the latest privacy breach blunder by a government department, which
saw information about the claimants sent to the wrong person.

Public sector chiefs are all being put on notice by the Privacy
Commissioner to ensure measures have been put in place to avoid more

The information about 9700 claims, including claim numbers and street
addresses, was inadvertently sent to a person outside of the EQC this

EQC chief executive Ian Simpson said the sent information did not
include customer names, and most of the information would require
knowledge of EQC's internal workings in order to interpret it.

EQC staff contacted the recipient as soon as the breach was
identified, and the recipient agreed to destroy all the information,
he said.

"I am really disappointed that this breach has occurred. I apologise
unreservedly that private customer information was sent to the wrong

"I want to assure our customers that every effort will be directed at
ensuring this doesn't happen again," Mr Simpson said.

"We will begin contacting affected customers from early next week to
advise them of the breach."

Earthquake Recovery Minister Gerry Brownlee was not available for comment.

Privacy Commissioner Marie Shroff said public sector agencies needed
to have stronger controls in place when handling spread sheets of
personal information.

"The EQC breach is yet another incident involving inadvertent
disclosure of large amounts of personal information on a spread sheet.
We hope that agencies are starting to realise that they should have
stronger controls in place to help to prevent these types of mistakes.
But they clearly have a way to go yet."

Ms Shroff said she was considering writing to the State Services
Commissioner and all public sector chief executives, asking them to
tell her what precautions they have - or are - putting in place to
help prevent inadvertent emailing of client information on spread

Labour Party spokeswoman for Earthquake Recovery, Lianne Dalziel, said
the privacy breach was disappointing.

"People do entrust government agencies with information believing that
it will be used appropriately and protected appropriately."

She said it was almost identical to the ACC breach, in which private
information of nearly 6500 claimants was incorrectly sent to the wrong

"One has to question the culture - it's a culture around government
and the protection of privacy."

However, she said EQC fronted up, which was positive.

"The first rule of business is the four 'F's - foul up, fess, front up
and fix it.

"They've done the first three and I want to know that they going to
fix it and they will have completed that circle, and I hope that they

Christchurch community group Canterbury Communities' Earthquake
Recovery Network (CanCERN) spokeswoman Leanne Curtis said it was
unfortunate for the people involved and would cause them stress.

"I think other people will see it as a sign of EQC's ongoing competence."

But she said it was a common error to push send to the wrong recipient.

"I think we need to be a little bit forgiving around that and also. I
think EQC has responded very quickly, very transparently, very openly
and with a lot of detail."

Ms Curtis hoped EQC would learn that this level of communication would
reduce stress amongst earthquake-affected residents.

Mayor Bob Parker would not comment on the privacy breach.

The people affected by the breach were customers in the EQC Canterbury
Home Repair Programme whose repairs were yet to begin.

Mr Simpson said EQC would beef up procedures for encrypting and
securely accessing sensitive data, as well as tightening rules for
using email to send sensitive documents.

"We will commission an independent review of the breach and take steps
from that review to ensure this doesn't happen again."
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list


Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.

  By Date           By Thread  

Current thread:
  • EQC privacy breach: 9700 affected Erica Absetz (Mar 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]