A systems update by SAP for the cloud platform used by the New Zealand police as part of its government-mandated gun buyback of semi-automatic rifles caused a privacy breach, leading to the entire online system being shut down.
Deputy commissioner Mike Clement said the problem was reported to NZ police by an arms dealer with legitimate access to the firearm buyback site, who was able to view details of gun owners.
The New Zealand government instigated a buyback programme for semi-automatic firearms after the Christchurch mosque shootings in March this year that killed 51 people. and injured 49, the deadliest such attack in the country's recent history.
NZ police were notified of the privacy breach on Monday morning.
Clement said that the system update was not authorised by the police, and lead to arms dealers having a higher level of access to notifications in the registry database than they should have had.
Police said only one dealer logged in after the update, making the breach an isolated incident. The personal details of gun owners, particularly location based data, is regarded as acutely sensitive.
A spokesperson for SAP confirmed the German enterprise software vendor was notified of a security breach to the New Zealand police gun buyback system..
The SAP spokesperson said that as soon as the full details of this incident were understood, all user profiles on the system, except for SAP consultants investigating, were locked, and remain so.
A total of 66 arms dealers in the system were assigned the wrong profile due to human error by SAP, the spokesperson said.
"We unreservedly apologise to New Zealand Police and the citizens of New Zealand for this error," the SAP spokesperson said.
While investigations into the botched upgrade continue, the police managed buyback programme will continue manually.