Police say they’re now confident the risk to potentially thousands of people is low after more details emerged from the hacking of a New Zealand research company earlier this month.
On July 15, police told 1 NEWS a data breach of research company Gravitas could have compromised the contact details of thousands of people who have called police.
Today, police said early indications showed the hack came from Nigeria and aimed to get business billing information from emails.
Assistant Commissioner Jevon McSkimming said there was no financial information in the data that had been compromised.
“Following the breach reported from research company Gravitas we have been unable to get assurances that our information has been kept properly secure,” he said.
As a result, police said they would be terminating their contract with Gravitas.
“Police provide Gravitas with a limited amount of information for the purposes of surveying. It is our expectation and understanding the information is destroyed after it is used,” Mr McSkimming said.
“However we have been unable to confirm the scope of the information compromised. We are confident any risk to people is low.”
He said most of the information police provided to Gravitas was already in the public domain, which was made up of names, phone numbers, addresses and a description of why a person contacted police. These included reports of less-serious crimes like burglary, disturbance and lost property.
Gravitas, which conducted the Citizens’ Satisfaction Survey on behalf of police, was provided the information so it could do anonymised research on people’s levels of satisfaction when police handled complaints.
Police told 1 NEWS on June 15 that the details concerned were captured from calls to police via 111, 105 and *555 (excluding sensitive calls). More than 9000 New Zealanders have been surveyed each year since 2008.
Mr McSkimming said police were continuing to understand the potential impact since the breach was discovered two weeks ago.
He said he was confident there were no integrity issues with staff at the research company.
“However, we are very disappointed that a breach of this nature has taken place,” he said.
“This is not an internal breach involving police systems. However, we are reviewing our processes and practises around management of people’s information.
“We would also urge businesses to be aware of emails purporting to change bank account numbers, which may indicate that their systems may have been hacked.”
Gravitas told 1 NEWS it was a victim of a cyber-attack by a third party who gained access to one of their staff member’s email accounts. It said current findings showed the attack was sophisticated and high-tech, involving elements of social engineering.
“It appears the attacker compromised another organisation’s system, independent of Gravitas, and used that victim’s email address to launch further attacks, including the attack on us.
“All information indicates that the attacker’s motivation was financial.
“We are working as quickly as we can, with the experts, to fully determine the impact of what has happened.”
It said it reported the incident to the Privacy Commissioner and police. It said it was cooperating with police “in all aspects of this investigation”.
1 NEWS also revealed on July 27 the Ministry of Justice was also warned about a possible hack.
“We are working with them to identify what, if any, implications there are in relation to research and evaluation work Gravitas has undertaken on behalf of the Ministry in the past,” a Ministry of Justice spokesperson said at the time.