(update) NZ: National admits Labour data breach – but denies passing names to Whaleoil
NZPA and NBR staff report the latest in the Labour Party donor list breach reported on this blog last night:
The National Party has admitted exploiting a security hole in the Labour Party website but denies passing data to a right-wing blogger who plans to release the names of Labour Party donors.
The Privacy Commissioner has raised concerns and is monitoring the situation.
The confession means lawyers’ opinons sought by NBR now apply in part to Natonal’s situation as well as Whaleoil blogger Cameron Slater, whom earlier today threatened to release the names of 452 Labour Party donors.
The Labour website security flaw allowed a database containing supporters’ personal information to be freely downloaded until the problem was fixed over the weekend.
The database included a mailing list containing the names and email addresses of about 18,000 supporters and a list of hundreds of recent online donations, complete with names and amounts given.[…]
The first breach was as far back as May 27 — more than a fortnight ago — but Labour did not detect it because “the people who found that gap in the system didn’t tell us”, she told NZPA.[…]
Ms Coatsworth said the security breach had been due to a recent minor change to the website which had since been fixed. An independent security review would be launched.
Read more on The National Business Review.
Well, for Labour to say that they didn’t detect it because nobody told them is a bit of a whiner. Although entities may learn about 40% of breaches when they are contacted by those who discover them, the party is responsible for securing its own site and detecting breaches in its own security, no?