Police Minister Stuart Nash says he is "very disappointed" after a gun dealer was able to access private information on the Police buyback website, but insists Police themselves did nothing wrong.
Police were notified yesterday morning of an issue on the buyback notification website which allowed an individual to view the private information provided by other firearms owners as part of the buyback process.
The information included the names, addresses and firearm details of people intending to hand in their now-restricted weapons.
Police say as soon as they were notified, all user accounts were frozen and the website was taken offline while the issue is investigated.
Police Minister Stuart Nash today told media that he has received assurances from German software company SAP, which is providing the IT services for the buyback programme, that only one individual had accessed the information.
Police said an audit was undertaken and that 35 people had their full details accessed by the individual, and fewer than 500 had their name and addresses accessed.
Police said they had spoken to the individual, who "confirmed that the information they accessed has not been used in any way, shape or form".
SAP has said the breach occurred due to a change to user account permissions which had not been signed off by police, and the company has apologised and taken responsibility for the error.
SAP is now conducting an internal investigation into how the error took place.
Mr Nash said the breach was not "a hack", but also said it was "poor form" from SAP to allow it to happen.
All I will say is this is very disappointing," Mr Nash said.
"This is not something Police did wrong, this is something an external provider did wrong and they have put up their hand and they have admitted responsibility and they have apologised unreservedly to Police and the people of New Zealand.
"I think Police are doing a fantastic job on monitoring this buyback ... it is unfortunate that their external supplier got this wrong to the point where this has happened."
He stopped short of saying SAP could be censured or be subject to a fine due to the breach, and said he would not be resigning because of it, as was called for yesterday by ACT Party leader David Seymour.
"I'm not going to resign on this," Mr Nash said, "there's a whole lot of work to do and we're only half way through and I want to see the job done."
The Council of Licensed Firearms Owners (COLFO) said yesterday that the breach could have allowed criminals to track down and steal the now-banned firearms before they are handed in, and urged firearms owners to be more vigilant.
Mr Nash said it was "a pretty long bow [to draw]" to say the information was now in the hands of criminals.
He said he had been assured by SAP that the information was only available to one individual - a New Zealand gun dealer with legitimate access to the site - and that individual had informed them of the issue as soon as it became apparent.
Police have said they would prosecute anyone who was found to have spread such information.
The National Party's police spokesperson Brett Hudson yesterday said that "his [Nash's] Government put the buy-back scheme together.
"It has failed to protect New Zealanders' private and very sensitive information," Mr Hudson said.
"It has failed to deliver a secure environment for personal data.
"In this year of delivery, all Prime Minister Jacinda Ardern and her Government can deliver are privacy breaches."