Privacy stuff-up blamed on email auto-complete

UPDATE: EQC boss offers new excuse for 83,000 clients' Christchurch quake claims being forwarded to an outsider.

March 26: EQC CEO Ian Simpson (pictured) says he has discovered how a email security breach occured. A spreadsheet containing details of 83,000 Christchchurch quake claims was mistakenly sent to an outsider last week.

LATEST: Email auto-complete to blame? Nope. Expert blasts EQC’s ‘Mickey Mouse’ security

"This error was down to the auto-complete function in our email system," Mr Simpson told the Breakfast programme on TV One. "So that's been switched off."

The auto-correct error could barely have been any worse.

The file was mistakenly sent to Bryan Staples, a former EQC employee turned CEO of insurance resolution company Earthquake Services. An associate of Mr Staples who spoke to NBR Online was strongly critical of EQC's overall performance.

Mr Staples, who spoke to NBR this morning, says the spreadsheet contains details such as the the number of settlments the EQC expects to make, and estimated settlement costs.

Mr Simpson says beyond switching off auto-complete,  "There are a number of short term measures we can take to minimise the need to use email to circulate this sort of information. The fuller fix will take a little longer."

EQC uses Microsoft Outlook for email. Auto-complete, which is common to many email programmes, fills in the remainder of an email address after the first few letters are typed.

Earthquake Recovery Minister Gerry Brownlee will meet with EQC bosses this morning over the privacy breach. Mr Brownlee has labeled the blunder "a pretty big mistake."

Government chief information officer Colin MacDonald is also looking into the breach.


Privacy Commissioner thinks about writing letter as EQC admits breach affected 83,000

March 25: EQC has upped the estimated number of people caught in a privacy breach to 83,000 - ten times more than originally thought.

On Friday EQC CEO Ian Simpson said details of 9721 Christchurch quake claimants had been mistakenly sent in a spreadsheet to the wrong email address.

This afternoon Mr Simpson admitted a pivot table in the spreadsheet could be manipulated to reveal the details of every claimant on its Canterbury Home Repair programme, which covers claims between $15,000 and $100,000.

In a statement, the EQC CEO said no names were released, and that "We have undertakings from the recipient that the information was destroyed, so the information is no longer available to anyone outside EQC."

Mr Simpson blamed the breach on human error. "We are reviewing our systems to prevent this from ever occurring again," he says.

Prime Minister John Key calls the breach "distressing."

Privacy Commissioner Marie Shroff says public sector agencies need to have stronger controls in place when handling spreadsheets of personal information.

“The EQC breach is yet another incident involving inadvertent disclosure of large amounts of personal information on a spreadsheet. We hope that agencies are starting to realise that they should have stronger controls in place to help to prevent these types of mistakes. But they clearly have a way to go yet.”

“I think it has reached the stage where the public need some further reassurance,” Ms Marie Shroff said in a statement.

“So I am considering writing to the State Services Commissioner and all public sector chief executives, asking them to tell me what precautions they have put or are putting in place to help prevent inadvertent emailing of client information on spreadsheets.”

Tags:
25 comments
Login in or Register to view & post comments