IRD under fire for taxpayer data leak to Meta

IRD disclosed the full name, email address, postcode, and telephone number using custom audience lists. Photo / file

 

Inland Revenue’s apology for giving Meta, the owner of Facebook, the names, addresses, and other contact details of 268,000 taxpayers is “not good enough,” according to a Tauranga resident who wishes to remain anonymous.

“There should be compensation,” they said.

Data was shared with social media platforms using custom audience lists to better target customers regarding their entitlements and obligations, Peter Mersi, the commissioner of the Inland Revenue Department (IRD), said.

“In the course of our work, we are required to make every effort to contact customers about their entitlements and obligations,” Mersi said.

“That requirement is included in our legislation, and it’s what drives our efforts to use the most effective and efficient means of communicating with people.”

The IRD began using social media in 2013, using platforms like Facebook more often to liaise and communicate with taxpayers, as it had considerable success.

As of November 4, 2024, Mersi promised not to supply de-identified or hashed customer details to social media platforms for targeted advertising.

The leaked information contained an address, name, full name, email address, postcode and telephone number, he said.

“There was no tax information, no IRD number, no income. It was just those details,” he said.

Mersi promised that those details would not be shared with the technical team at Meta and that the shared information would be deleted afterwards.

No humans interacted with each other as the data was shared, machine to machine, according to Mersi.

At that stage, all they knew was that creating a customer list and the appropriate advertisements did not happen until the list had been completed.

According to the IRD, the only other time that information was shared was via LinkedIn.

Emails were initially given but were later expanded to include first name, last name and country.

“What we had not appreciated because this (information) goes into a box, and that’s when the hashing and the secure transfer occurs,” Merci said.

“We had not appreciated that only the email was being hashed, so the other information was being transmitted raw.”

This information was shared from 2020 onwards, but Merci said IRD would have stopped the practice if they had known about the unintended breach.

Mersi admitted that obtaining the data would allow anyone to create large data tables, targeting those whose information was leaked.

“I think the most concerning finding was that we had had an unintended disclosure,” he said.

“The first of those events was with Meta.”

The unintended disclosure was only discovered after an Official Information Act request, according to Mersi.

“The second one with LinkedIn was discovered as part of the review process.”

IRD’s practice of sharing encrypted data with social media saw 8,000 taxpayers protest, fearing their data would be at risk.

“Of the 8000 people we’ve already responded to, 400 of them were included in the list of 268,000,” Merci said.

The IRD had been leaking taxpayers’ data to overseas tech firms “beggars belief,” Taxpayers’ Union Policy and Public Affairs Manager James Ross said in a press release.

New Zealanders have been assured that everything is okay because the data was hashed. However, the Taxpayers Union said the IRD misled the public about the protection the process provides.

“IRD’s data protection is so bad, social media staffers are able to access information from the tax administration system,” Ross said.

“That alone is a blatant breach of trust for New Zealanders who must entrust IRD with their data.”

Deputy Privacy Commissioner Liz MacPherson said she is very disappointed to learn that Inland Revenue shared identifiable personal information with social media platforms in at least two instances.

“Given the nature of their work and the fact all New Zealand taxpayers must interact with them, it’s important that IR upholds the very highest privacy and confidentiality standards.”

”What is particularly concerning in this case is that IR apparently had no idea that these incidents, including the intentional sharing by IR staff of identifiable personal details of 268,000 New Zealand taxpayers with social media platforms, had occurred,” MacPherson said.

Based on the information available to us, it is unlikely that the breaches are notifiable under the Privacy Act. However, the fact that the data of so many people was shared inappropriately is troubling, and OPC will seek further information about the incidents that emerged during this review, MacPherson said.

- SunLive

0 comments

Leave a Comment


You must be logged in to make a comment.