EQC leak much larger than realised
GEORGINA STYLIANOU AND OLIVIA WANNAN AND GLENN CONWAY
The Earthquake Commission has revealed that the privacy breach last week was more than eight times larger than originally announced - affecting every claimant in the Canterbury home repair programme.
This afternoon, EQC chief executive Ian Simpson said the data in the spreadsheet, emailed to a third party outside the organisation, could be manipulated to reveal the details of 98,000 claims from all 83,000 claimants.
Originally, information from only 9700 people was said to be at risk in the breach, which happened on Friday morning.
Simpson said when the breach was announced to the media last week, it was not apparent the information on the other 73,000 claimants could be accessed using the spreadsheet's pivot table tool.
The spreadsheet contained claim numbers and home addresses, but not names of those in the programme for homes requiring repairs costing between $15,000 and $100,000, he said.
Are you affected by this breach? Email email@example.com
The scale of the breach meant EQC would not be contacting each claimant to inform them, but would be taking out advertisements in the Christchurch newspapers.
Simpson said the outside party had since destroyed the email, though four other people had been in the room when it was received.
The breach occurred when a staff member sent out an email intended for EQC staff, and the auto-complete function in the email program accidentally filled in the address of a third party, an EQC contractor.
An independent review of the breach would be commissioned.
In addition, security processes for encrypting and accessing sensitive data, as well as the rules for using email to send sensitive documents, would be reviewed, he said.
He apologised for the breach, saying the matter was "embarrassing and disappointing".
Simpson would not name the recipient of the email, but said the person had "acted in good faith".
Privacy breach 'ironic'
Christchurch Mayor Bob Parker said the situation was ''rather ironic''.
''People would love to what the contents of their EQC files, in many cases they can't get to them, but meanwhile one person has received information relating to thousands and thousands of claims.''
Parker said leaks like this ''just could not afford to happen'' and said technological systems nationwide needed to be improved.
''This will just put our community under further pressure and will create more uncertainty,'' Parker said.
Christchurch City councillor Glenn Livingstone said somebody should "take the fall" for the breach.
''Whether that's the minister or the CEO [of EQC] ... but it is a CEO's job to keep the minister informed and by the sounds of it, that hasn't happened.''
He said the scandal would ''confirm people's low confidence levels in EQC''.
Dalziel and Brownlee exchange words
Labour's earthquake recovery spokeswoman Lianne Dalziel said the breach was of a scale "unprecedented in New Zealand'' and called on Earthquake Minister Gerry Brownlee to take full responsibility.
"EQC has tried to deny that the figure is seven times worse than admitted. The truth is no one at EQC or the minister's office checked the email thoroughly enough to realise the data was sitting behind the figures on a different sheet than the one they relied on for the 9700 figure.
"That is gross incompetence and a political scandal," said Dalziel.
"I also know that people other than the mistaken recipient saw this information before they alerted him that the email had been sent to him in error and he agreed to delete the information. One of those people contacted me over the weekend."
Dalziel said it was "time for the Minister to take full ministerial responsibility".
She called on Brownlee to explain when he first knew of the extent of the breach and to disclose the extent of the details attached to each of the leaked home addresses.
"He must also undertake to ensure that EQC will provide each person affected with a simple status report on their claim so they know where they stand."
Meanwhile, Brownlee said he was very disappointed to learn at "2:21pm today" that the EQC privacy breach contained information relating to more claimants than EQC first thought.
He said he took ''great issue'' with Dalziel's claim that he should have checked the email and spreadsheet to ''identify that hidden data was embedded within the material''.
''Information held by EQC does not routinely make its way to the Minister's office,'' he said.
Brownlee said EQC had improved its procedures for ''encrypting and surely accessing sensitive data'' and an independent review would also take place.
He had advised EQC to take ''whatever legal action they deem appropriate'' to ensure the information had not been copied or distributed.
- The Press