Member log in

National admits Labour data breach - but denies passing names to Whaleoil

The National Party has admitted exploiting a security hole in the Labour Party website but denies passing data to a right-wing blogger who plans to release the names of Labour Party donors.

National's president, Peter Goodfellow, confirmed a head office staffer accessed the data but denied it was passed on.

The Privacy Commissioner has raised concerns and is monitoring the situation.

The confession means lawyers' opinions sought by NBR now apply in part to Natonal's situation as well as Whaleoil blogger Cameron Slater, whom earlier today threatened to release the names of 452  Labour Party donors.

The Labour website security flaw allowed a database containing supporters' personal information to be freely downloaded until the problem was fixed over the weekend.

The database included a mailing list containing the names and email addresses of about 18,000 supporters and a list of hundreds of recent online donations, complete with names and amounts given.

Mr Slater, who said he had a copy of the data, threatened on his website to release the names and email addresses of thousands of Labour supporters tomorrow.

Labour Party president Moira Coatsworth today said the party had unreservedly apologised to those affected and was attempting to contact everyone whose personal details could be published.

She accused the National Party of downloading the data from its head office and tipping off Slater.

"This is a politically motivated attack," she said.

"The National Party had a choice to alert us to this vulnerability in our system. Instead they chose to exploit it and to download the material and pass the gap on to the blogger, who they knew would reveal private information."

The first breach was as far back as May 27 -- more than a fortnight ago -- but Labour did not detect it because "the people who found that gap in the system didn't tell us", she told NZPA.

"If you find someone's wallet, usually you give it back to the owner. What they did was download and provide it to a right-wing blogger."

Mr Goodfellow said that was a "beat-up".

A head office staffer accessed the data but only out of concern that National's own website had similar vulnerabilities.

"There was so much chatter about there being a gaping hole in the Labour website," he told NZPA.

"I would have thought it's like driving past a fire and stopping to have a look."

National had not passed on any information and did not intend to, Mr Goodfellow said.

Staff were looking into whether the data had been retained, but Mr Goodfellow would not give an undertaking to destroy any details still being held.

He denied National had an obligation to inform Labour about the security flaw.

"I wouldn't expect them to notify us if there'd been a gaping hole in our internet site, I'd expect one of our tech guys to find out about it," he said.

"I would be very embarrassed if that was us."

Prime Minister John Key said he did not know anything about the matter.

Ms Coatsworth said the security breach had been due to a recent minor change to the website which had since been fixed. An independent security review would be launched.

"I have unreservedly apologised and we fully understand the seriousness of this kind of event," Ms Coatsworth told NZPA.

"The concern now is the intentional violation of people's privacy by releasing information."

Ms Coatsworth said it was too soon to say what impact the breach would have, but it was possible donations to the party could be affected.

Privacy Commissioner Marie Shroff today said the Labour Party had alerted her to the case.

"I understand the information gained has also been sent to third parties. This chain of events concerns me," she said.

People affected by the data breach could contact her office, she said.

More by NZPA and NBR staff

Comments and questions
35

What is everone worried about, surely the people who gave money to Labour are proud Labour supporters... aren't they??

But would you want your information smeared all over sites like Kiwiblog by their owner, Whaleslime, Cam Slater. Who also claims a sickness benefit , whilst railing against beneficiaries ad nauseam. He is nothing but a hypocritical, dirt digging, Nationals pet puppy, that just keeps messing on the floor.

The govt were warned approximatley 5 years ago that there system was breached,I found 3 tracking bugs,one was there own key logger,I did warn the govt,but I was crapped on by Securacopy idiots,nothing has changed.Do you really want to know all there security?.No need for SIS, just sitback & watch.

heheheeheh, another proud moment for Labour - someone is in BIG trouble in their IT team!

Does John Key ever know anything? thats the only comment he ever makes

and yet he polls consistently higher than Goof...

Mainly because people seldom look behind the smile!

From a former Nat supporter.

but talks the same twaddle as Goff

Very tacky crap from the National Party

I am now a very disappointed National party supporter - I thought National was more professional than this

You gotta love the morals and ethics of National, or the lack that is.

yeah..you're onto it there...i mean look how happy they were to exploit the hacking of don brash's emails and all that brethren stuff...poor old labour...gee shucks...i'm crying about their ethics..stop it !

Yep ... won't cut Kiwisaver, won't sell assets, won't build trains in NZ to feed Kiwis

Spending a billion dollars on a train set that does not work by labour seem like a good investment??? yay kiwi rail

Most of the comments here relate to accessing the information. Nobody seems interested in the fact that Labour appear to have been using parliamentary services staff to process campaign funds. Isn't that naughty? Or does that not really matter?

Are you serious? Labour's excuse... National isn't cleaning up after us...

I would expect unethical behaviour from this Key led National Party after all their track record since the election has been one of corruption, rorting and exploitation of the country.

I have subscribed to the labour party web site in the past, now recently I am getting unsolicited SPAM mail offering employment etc, Who is providing a new email address to spammers

What the Key and his boys did the three years they had? yah, pointed fingers, smiled for the camera and danced with petty little issues.

i don't see other nation's leader doing the same (or as much).

I run into a news about IMF breach on the BBC1 yesterday. Certivox's CEO, Brian Spector joint the broadcasting. So, he said "Cyber-War is already started" I think that's right. Here is the interview: http://blog.certivox.com/brian_spector/2011/06/13/brian-spector-on-the-bbc/

I bet National ticked a point in its checklist to winning this years election.

So Labour Party President is all upset and crying foul that their more popular and brighter opposition didn’t point out glaringly obvious lapses in their website security – well, Labour have a reputation and track record of not listening!

Ya can always tell a Labour politician – ya just can’t tell them much!

The NZ public have told Labour for years what they’re doing wrong, but ideological dogma to failed philosophies and tactics still is preferred over listening to the public and offering realistic solutions besides overtaxing the hard working to fund those that elect not to train themselves, or up-skill or even be bothered to get off the benefit – especially when Labour bribe gullible voters with election year lolly scramble “free money”

I would have though Labour would have had all the resources/experience they needed to know when someone was trying to get in their back door – or is that wisdom only for their male MP’s when present with barely legal, intoxicated teens in the early hours of a weekend?

Why do Labour MP’s put Viagra in their cuppa’s? To stop their ginger nuts going soft!

Labor = Losers

So Liabor complain about a supposed National Party leak of information from their insecure site. Is the same Liabor Party that leaked notes from a confidential meeting between Don Brash as leader of the opposition and visiting American politicians? Is the same party that lept on stolen emails from Don Brash and leaked them to all and sundry? What goes round comes around guys.
And I note the Liabor Party continues to steal our money by using parliamentary staff to undertake political work, something that is strictly illegal. Well you can't change the law in retrospect this time guys to legalise your theft.

Does it really take an election loss (read another massacre) for Labour to realise that Phil the Pill is a complete loser? For heavens sake he was a discredited politician after the third Labour government. The fact that he has come back and wimped and noodled his way to the top of the party speaks volumes about Labour.

It's not their fault - Ronald McDonald didn't want to compromise his integrity by association - so they really are stuck with the people they have!

Good job too - they deserve each other!

Poetic irony really - the unions expouse promoting people for longevity over ability - and now the chickens have come home to roost - leaving egg all over their faces and Labour's "reputation" in an even worse state!

I would love to rubbish Labour over all their failings - but I don't need to - they do a perfect job by themselves.

Couldn't happen quick enough to a more deserving bunch of hypocritical failed bunch of idiots.

Just so we're clear about what "exploiting a security hole" involves - if you enter this google search you have done it:

http://www.google.co.nz/search?sourceid=chrome&ie=UTF-8&q=site%3Alabour.co.nz+sql+goff

I would be surprised if it were a crime to look for things on Google, when the content owner has left it in such plain view.

The bottom line is that public organisations need to make sure they use competent IT staff or partners.

"competent IT staff or partners"

They can't - they have to use their union work force and rely on the failed mantra of long service / longevity rather than ability to achieve desired outcomes.

Hence why the bloated Public Service whenever Labour flukes into government.

God the NBR must squirm at some of the nonsense written here.

Try and be a little less serious Em.

What a load of whining bollocks from the Labour supporters here (and the party's own excuse-making machine, to boot).

The internet is full of passers by who stop briefly to look in amazement at examples of stupidity (perhaps its most common use), and this is no different. All a National party staffer would have done is - on reports of the wide open insecure content - stopped by to look, said the obligatory "Holy dumb-asses, I can't believe Labour is failing so badly", and moved on.

For Labour to try to excuse themselves by pointing the finger at National is desperate and silly.

I agree - no breach. Blaming National is sheer pathetic desperation. But if the credit card details were there for anyone to see, it seems to me that Cameron Slater publishing names should be the least of their problems. Every dodgy operator in Eastern Europe and Nigeria would be all over this. Has Labour told its donars to cancel their credit cards? When do the dodgy, questionable transactions begin to appear? Aside from the initial Labour donation of course...

David H - more like the goose that lays the golden eggs.

I'd like to see the list of teachers who are HARD ON labourites, the same ones that poison the fertile minds of our children in schools with their support of doomed socialistic policies, whilst not declaring their conflict of interest before the brain-washing sessions. Please Cameron, show us their names!

To the ... whiners leave your doors open before heading to bed tonight and then complain in the morning to someone who cares!!! That's right .... !!! Hard the.....

Don't depend on the government or companies to protect your data. I use this free service to send and receive encrypted emails at https://www.sendinc.com/ It allows anyone to send and receive military-grade secure encrypted emails in minutes and requires no special technical expertise. There is no required software to purchase, download, or install. There are no encryption keys to generate, publish, or maintain. And anyone can use it to transmit and receive secure messages for free using strong email encryption.