Thread: FSA - data and human error. it's a recipe for disaster

Given the data breach of the FSA in recent days, will our data ever really be safe?
For the record, I don't have an issue with the register per se, as a lawful and law abiding license holder, I have nothing to hide from the authorities, quite the contrary BUT I DO have A LOT to hide from any nefarious types who might use a data breach to compile a shopping list, especially given that such types will probably come calling with scant regard for mine or my families personal well being and will have a high probability of being armed and being a lawful license holders, my arms will all be safely locked up and of little use to me in such a situation, anyway, I digress.

I am still waiting for my new license and seeing as the 4 weeks had elapsed and noticing that my letter confirming my license had my PHYSICAL address on it, rather than my postal address, I wondered if my FAL had gone astray.
One phone call to the FSA and it became clear that their "systems" are far from robust. Calling them and explaining the situation "it's been 4 weeks, where's my license, have you got the right postal address for me?" (that's massively condensed, I was much more polite!) it was revealed that NO, they did not have my correct postal address, neither did they know where my license was other than it had been printed over a week ago.....

TWO things are clear, given that EVERY single form I filled out during my FAL application I very clearly added my postal address AND my physical address in the relevant fields, somewhere the "robust system" is not pulling that data across directly...and from a coding point of view that's akin to formatting an excel cell with SUM= (very far from rocket science for those not familiar with excel) now this could very possibly lead to a FAL being sent to the wrong place....I have no idea what other info accompanies the actual card when it's sent out but the card itself is doubtless full of "privileged" information.

Whilst on the phone, the nice chap was unsure if correcting my postal address would trigger the "change of address" procedure.......so I waited whilst he trotted off to find out.
Now, I don't have an issue with this chap, he was doing his best but clearly the training for these new staff has been less than perfect and a flowchart cheat sheet isn't hard to produce and make available....is it?
The other point is they didn't know where my license was, whether it had been posted or not and all they could offer was "if it hasn't shown up in another week, send an email to these chaps and they'll look into it"

This new system cost us NZ$10M........and it's already creaking, the institutionalised civil service has given us a half pie solution as usual, if they were spending their own money you can bet your left bollock they'd make sure they got "value"

I think a properly administered register, administered with well trained and thorough staff (who have been exhaustively vetted) is not a bad idea, sadly, it's not all that and it's likely that this will be the first of many data breaches because consider this, all someone who really wants that data has to do is find an officer (or more likely non-sworn staff with access) and make them an offer they can't refuse for the data (there have been a number of cases of "police staff" dishing out info to gangs etc in recent year) so we can't say "oh, that'll never happen here" because it already has

I was asked to provide details on my storage so I could store a rifle for a friend who they will not allow to store at his own place for reasons pertaining to another family member there. They asked for details on my old address that got changed in the system by me at least 6 weeks ago.

Originally Posted by Happy Jack

I was asked to provide details on my storage so I could store a rifle for a friend who they will not allow to store at his own place for reasons pertaining to another family member there. They asked for details on my old address that got changed in the system by me at least 6 weeks ago.

That was quick. It's taken over 18 months for inspection the last 2 times I moved.

I sold a rifle a few days ago,gave my buyers details to the nicely spoken lady at the registry.All good now she said we just gota wait for yr buyer to phone us to put his & yr details thru.She hadnt done a buyer & seller transfer befor either.
I texted my buyer and told him what I had done and registry are waiting for your phone call.He told me he had done the phoning in the day befor.Guess the 10million rego system was having a day off work.So when all the sports shops in NZ sell 200 rifles on a Saturday morning.The shops has to phone in all the transfers and buyers phone in as well.The rego system will have a heart turn.

Precisely none of this fills me with confidence to be fair. It was creaky before in the firearms space getting things done when you needed something from the constabulary - now it's positively swamped, inaccurate, lethargic and when you do get to talk to someone it's chances fate if they have been involved in what you need to do before and can actually help you... Shocking - and they wonder why productivity in NZ is digging itself a hole to get lower!

And another loss, I was a referee for a neighbour who was applying for his licence (not renewal) and the day he got the actual licence in the mail, the Firearms Safety Authority rang him to say they needed to redo the interviews with him and his wife because they had lost the transcript and data. Apparently also happened to another applicant and his partner who was interviewed on the same day. he is still waiting to see if it a loss to the system or has been compromised and sent somewhere it was not supposed to have. I guess there will always be teething problems, however it shouldn't be with simple data management and control.

Originally Posted by Ruger7mm

the day he got the actual licence in the mail, the Firearms Safety Authority rang him to say they needed to redo the interviews with him and his wife because they had lost the transcript and data.

Seems to me that they're making this shit up as they go along.
Clearly, whatever was said in the interview satisfied the vettor/s, to the extent that a licence was issued and actually arrived into the hands of the applicant.
Is there now a suggestion that because they have "lost" the transcript of an interview that the licence will now be, or has been, revoked?
FFS.

My reply would have been - "I have my licence in my hand as we speak , therefore the process is complete" and hung up.

Originally Posted by Trout

I sold a rifle a few days ago,gave my buyers details to the nicely spoken lady at the registry.All good now she said we just gota wait for yr buyer to phone us to put his & yr details thru.She hadnt done a buyer & seller transfer befor either.
I texted my buyer and told him what I had done and registry are waiting for your phone call.He told me he had done the phoning in the day befor.Guess the 10million rego system was having a day off work.So when all the sports shops in NZ sell 200 rifles on a Saturday morning.The shops has to phone in all the transfers and buyers phone in as well.The rego system will have a heart turn.

Retailers don't have to phone or anything. There's a specific page for doing the registration for dealers. It's simple as, takes a couple minutes at most.

My biggest concern with data security in a system of record is the access people have to it. How many times a year do the Police, courts etc, dicipline staff for having a sneeky peek at something they were not meant to look at.
In a properly designed system, there should be just in time access to a record, that gets triggered when a job comes in through the proper channel. Alerts, and account lockouts of anyone trying to harvest data. Data leakage protection (cannot copy / paste, cannot plug in portable devices, cannot take screenshots, access cloud storage, etc) should be implemented.
If these things are in place, I will feel safer knowing modem practices were put in place.

I'd like to see a security audit from a reputable security firm, giving their blessing that everything is following current best practice. This should be public record to put our minds at ease.

Stats like these always concern me: https://www.police.govt.nz/about-us/...uct-statistics. And these are only the ones reported.


It's not clear what the breach of privacy is, but it does not paint a picture of trust.

Even with that security there is no protection against a device aimed at a screen recording. I recall that happened overseas near an ATM, the buggers arranged cameras to record both sides of the card as it went into the machine and the screen and keypad. Not quite the same as a data terminal in a secured building, but also a lot more involved in setting up a multiple camera feed... Bastards though!

Originally Posted by No.3

Even with that security there is no protection against a device aimed at a screen recording.

Well there is actually, you can take peoples devices off them when they enter/work at a facility. There are already plenty of examples of this in NZ. You can also design the workplace for visibility (open with transparent partitions) such that any illegal behaviour is more difficult. And you can use security cameras as a final deterrent. But thats a hardcore approach.

From an IT perspective a better approach is to audit all data access, and with modern tools it's possible to observe unusual patterns of behaviour. For example an employee viewing data they have no valid reason for, or viewing lots of data records. I believe Police already do this to some extent (from other stuff in the news).

That is true, but those sorts of measures do not protect against someone who is intentionally intending to rake the data over a period of time. Similar efforts have been reported overseas, usually around financial systems and crimes of that nature. Once the system is breached it's all over unfortunately.

Originally Posted by Happy Jack

I was asked to provide details on my storage so I could store a rifle for a friend who they will not allow to store at his own place for reasons pertaining to another family member there. They asked for details on my old address that got changed in the system by me at least 6 weeks ago.

Well the system is working I guess, now they have asked to book a date to come and do my inspection at the correct address after I pointed out their mistake.

as long as your initial point of contact was before the commencement date of the "register" then this should not be an activating event for you.