Software giant SAP apologises to New Zealand as details of gun buyback data breach unfold

German software giant SAP has apologised to New Zealand after a massive data breach revealed the details of gun owners' names, addresses and firearms. 

The breach was down to a change in access given to dealers participating in the buyback scheme, and while there was no hacking involved, 66 dealers were able to access sensitive information.

Police Minister Stuart Nash said he's still confident in the gun buyback scheme and doesn't see the need to start from scratch, despite calls for his resignation.

"I think it's going incredibly well so far," he said at Monday's post-Cabinet press conference alongside Prime Minister Jacinda Ardern.

Nash's response came hours after police were alerted to a breach in their system by a dealer after which they immediately shut down the entire platform where dealers had been able to register their firearms to police.

Police have confirmed that the buyback programme is continuing and will be completed using a manual process to manage the return of prohibited firearms from now on.

"The online notification platform will remain offline until we can be reassured by our vendor that the platform is secure," Deputy Commissioner Mike Clement said.

Initially it was suggested by the Council of Licensed Firearms Owners (COLFO) that the whole database was made publicly available, but both police and the Government are denying that was the case.

"My understanding is one firearms dealer contacted the police this morning and police immediately closed down the database," the Police Minister said. 

"The Commissioner of Police has assured me that they are investigating the matter thoroughly to determine the extent of any breach and what actions need to be taken."

The police and the Government pointed the finger at German software giant SAP who are supplying the database infrastructure. Both said the contractor gave the wrong software permissions to a dealer.

SAP has apologised to New Zealand in a statement released Monday afternoon. 

"As part of new features intended for the platform, security profiles were to be updated to allow certain users to be able to create citizens records," a spokesperson explained.

"A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP... We unreservedly apologise to New Zealand Police and the citizens of New Zealand for this error."

The spokesperson said a full investigation is underway.

Ardern explained why gun dealers were given access to the information in the first place.

"Firearm dealers and some gun owners were of the view that not everyone would wish to return their weapons directly through police stations so dealers were created as agent authorities that could be part of the buyback process.

"As part of that they were able to access elements of the register.

"It's very important to be clear here: This is not about a website being open to the general public and being able to be accessed. Dealers were given access deliberately but with the intent that it be used responsibly on a confined basis."

The breach has raised fresh concerns from the firearms community about the Government's plans to introduce a gun register, as part of the second tranche of gun law reforms currently going through the select committee process.

COLFO spokesperson Nicole McKee told Newshub they've been raising concerns about private information like this being "made into a shopping list for criminals".

The Police Minister said it's important to "keep in mind" that before the buyback police registered about 14,000 of the most dangerous firearms under the register that was already in place.

"Keep also in mind that under the legislation in front of select committee at the moment, the proposal is to give police up to two years to develop a registry system with integrity."

The Government has been plagued with a series of data breaches this year, from Treasury's Budget botch-up to personal information of those signed up for Tuia 250 being posted online, as well as the possible breach of medical data of Tu Ora Compass Health patients.

National leader Simon Bridges said, "There have been quite a number of data breaches in this term of Government but this is the most serious by a very long way."

ACT leader David Seymour is pointing blame at the Police Minister, telling Newshub Nash is a "great guy" but "has to go".

"The Police Minister refused to take responsibility, instead blaming police and a software provider.

"It is difficult to imagine how the Government could screw up worse, seriously endangering thousands of New Zealanders from a project designed to protect public safety.

"Firearm owners keep quiet about their firearms so bad people don't know where they are - these idiots in police just told the whole world exactly where they are."

Firearm owner Mark Lewis - who did the right thing and handed in his guns after the ban was announced - told Newshub the breach is "not good enough".

"I've made the effort to keep New Zealand safe now my safety has been compromised."

Nash said he is proud that the Government has taken around 43,000 firearms out of circulation, "the vast majority of those firearms are the type that are used to kill people not deer or ducks".