National admits Labour data breach - but denies passing names to Whaleoil
The National Party has admitted exploiting a security hole in the Labour Party website but denies passing data to a right-wing blogger who plans to release the names of Labour Party donors.
National's president, Peter Goodfellow, confirmed a head office staffer accessed the data but denied it was passed on.
The Privacy Commissioner has raised concerns and is monitoring the situation.
The confession means lawyers' opinions sought by NBR now apply in part to Natonal's situation as well as Whaleoil blogger Cameron Slater, whom earlier today threatened to release the names of 452 Labour Party donors.
The Labour website security flaw allowed a database containing supporters' personal information to be freely downloaded until the problem was fixed over the weekend.
The database included a mailing list containing the names and email addresses of about 18,000 supporters and a list of hundreds of recent online donations, complete with names and amounts given.
Mr Slater, who said he had a copy of the data, threatened on his website to release the names and email addresses of thousands of Labour supporters tomorrow.
Labour Party president Moira Coatsworth today said the party had unreservedly apologised to those affected and was attempting to contact everyone whose personal details could be published.
She accused the National Party of downloading the data from its head office and tipping off Slater.
"This is a politically motivated attack," she said.
"The National Party had a choice to alert us to this vulnerability in our system. Instead they chose to exploit it and to download the material and pass the gap on to the blogger, who they knew would reveal private information."
The first breach was as far back as May 27 -- more than a fortnight ago -- but Labour did not detect it because "the people who found that gap in the system didn't tell us", she told NZPA.
"If you find someone's wallet, usually you give it back to the owner. What they did was download and provide it to a right-wing blogger."
Mr Goodfellow said that was a "beat-up".
A head office staffer accessed the data but only out of concern that National's own website had similar vulnerabilities.
"There was so much chatter about there being a gaping hole in the Labour website," he told NZPA.
"I would have thought it's like driving past a fire and stopping to have a look."
National had not passed on any information and did not intend to, Mr Goodfellow said.
Staff were looking into whether the data had been retained, but Mr Goodfellow would not give an undertaking to destroy any details still being held.
He denied National had an obligation to inform Labour about the security flaw.
"I wouldn't expect them to notify us if there'd been a gaping hole in our internet site, I'd expect one of our tech guys to find out about it," he said.
"I would be very embarrassed if that was us."
Prime Minister John Key said he did not know anything about the matter.
Ms Coatsworth said the security breach had been due to a recent minor change to the website which had since been fixed. An independent security review would be launched.
"I have unreservedly apologised and we fully understand the seriousness of this kind of event," Ms Coatsworth told NZPA.
"The concern now is the intentional violation of people's privacy by releasing information."
Ms Coatsworth said it was too soon to say what impact the breach would have, but it was possible donations to the party could be affected.
Privacy Commissioner Marie Shroff today said the Labour Party had alerted her to the case.
"I understand the information gained has also been sent to third parties. This chain of events concerns me," she said.
People affected by the data breach could contact her office, she said.