Labour accidentally left a server open for anyone to have a look around, and people looked. Using a website that checks what other sites are hosted on a specific web server, Cameron Slater (Whale Oil) says he found that Labour’s healthyhomeshealthykiwis.org.nz was hosted on the same server as lets-not.co.nz. Healthyhomeshealthykiwis.org.nz turned out to list the files and directories on the server. Drilling down, Cameron found that backups were on the server which contained records of donations and email addresses from Labour’s mailing lists. He explains further in a video on this post.
Comparisons to someone stealing something from an unlocked house (or in one comment I read, looting quaked houses in Christchurch) seem misguided. This is more like someone from Labour standing on the street and accidentally including email addresses and donation information in handouts.
Release of personal information
Cameron was going to, but now has said he won’t release the personal information of individuals obtained from the server, a decision which I support as there is no public interest in identifying the Average Joe donator or mailing list subscriber.
John Pagani (former senior adviser to Labour leader Phil Goff) was apparently given access to the logs (I’m not sure why it seemed like a good idea to Labour to further spread the access logs, complete with IP addresses) and says that the second IP address to access one of the backup files was 126.96.36.199 which resolves to mail.national.org.nz—a National party mail server. So if that’s true, National knew of the security hole in Labour’s website. In the perfect world, even though it’s not their job to, they would have informed Labour, but apparently chose not to. John continues that the logs prove that National tipped Cameron off about the gaping security hole as Cameron appears to be the next person to access this specific backup file. This is plausible, but isn’t proven by the logs. Neither of the above excuse the fact that the server should have been secure to begin with.
Credit card information
Labour says that “no credit card details were held on the site. All people whose privacy may have been compromised have been informed.”
Flo2Cash who handle Labour’s credit card payments say: “All donor credit card data is fully encrypted… the Flo2Cash system… is completely isolated from the Labour Party website… the recent Labour Party website breach has not resulted in any compromise of donor credit card data.”
Do you think National should have let Labour know about the security hole, or, if they did: tip Whale Oil off about it?