EQC privacy breach affects 83,000

06:39, Mar 25 2013
FRONTING UP: EQC chief executive Ian Simpson.

Prime Minister John Key says the big privacy breach at EQC was "distressing" but most people had probably sent an email or text message in error.

"We do live in a world where these things are possible."

The comments came after the Earthquake Commission revealed that the privacy breach last week was more than eight times larger than originally announced – affecting every claimant in the Canterbury home repair programme.

This afternoon, EQC chief executive Ian Simpson said the data in the spreadsheet, emailed to a third party outside the organisation, could be manipulated to reveal the details of 98,000 claims from all 83,000 claimants.

Originally, only 9700 people’s information was said to be at risk in the breach, which happened on Friday morning.

Key said Government agencies were looking at ways to tighten up and ensure it did not happen again.


"But all of us probably in our lives have sent an email by mistake or a text message by mistake. It does happen.

EQC had acted quickly and sought a statutory declaration that the information was destroyed.

For the sheer volume of information sent, the number of breaches were small.

EQC had dealt with a huge amount of information and had only one breach, though that was still one too many.

"It was one file sent to one person."

Simpson said in Wellington today that when the breach was announced to media last week, it was not apparent the information on the other 73,000 claimants could be accessed using the spreadsheet's pivot table tool.

The spreadsheet contained claim numbers and home addresses, but not names of those in the programme for homes requiring repairs costing between $15,000 and $100,000, he said.

The scale of the breach meant EQC would not be contacting each claimant to inform them, but would be taking out advertisements in the Christchurch newspapers.

Simpson said the outside party had since destroyed the email, though four other people had been in the room when it was received.

He said “reasonably detailed steps” would have to have been taken for the recipient to see the information of all claimants.

The breach occurred when a staff member sent out an email intended for EQC staff, and the auto-complete function in the email program accidentally filled in the address of a third party, an EQC contractor, Simpson said last week.

Simpson apologised for the breach, saying the matter was “embarrassing and disappointing”.

“The focus is on resolving the issue and containing the information.”

Simpson would not name the recipient of the email, but said the person had “acted in good faith”.

He added he was not aware of any claimants lodging a complaint with the Privacy Commissioner.

Key said he did not think an independent inquiry into the breach at EQC was necessary.

Asked about Earthquake Recovery Minister Gerry's Brownlee's comment that an independent review would advise EQC on how to improve data security, Key said he had no advice on that.

He still had confidence in chief executive Ian Simpson.


Labour's earthquake recovery spokeswoman Lianne Dalziel said the breach was of a scale "unprecedented in New Zealand'' and called on Earthquake Minister Gerry Brownlee to take full responsibility.

"EQC has tried to deny that the figure is seven times worse than admitted. The truth is no one at EQC or the minister's office checked the email thoroughly enough to realise the data was sitting behind the figures on a different sheet than the one they relied on for the 9700 figure.

"That is gross incompetence and a political scandal," said Dalziel.

"I also know that people other than the mistaken recipient saw this information before they alerted him that the email had been sent to him in error and he agreed to delete the information. One of those people contacted me over the weekend."

Dalziel said it was "time for the Minister to take full ministerial responsibility".

She called on Brownlee to explain when he first knew of the extent of the breach and to disclose the extent of the details attached to each of the leaked home addresses.

"He must also undertake to ensure that EQC will provide each person affected with a simple status report on their claim so they know where they stand."

Dalziel said modern technology enabled agencies to move huge amounts of data around. "That's why data protection systems are so vital. EQC's policies are clearly not working."

She said the breach was similar to that experienced by ACC. "Why have lessons not been learned?"

The Press