Tracy Watkins in the Dom Post reports:
Details of 18,000 people were on the databases downloaded by blogger Cameron Slater, severely embarrassing Labour, which had to email donors and people who had contacted it through its website to apologise for the breach.
Slater has revealed on his blog how he obtained the databases, which appear to have been publicly available and easy to download without needing to hack into the site.
It is good that Labour is talking to the Privacy Commissioner. But rather than appealing to her, they should be begging mercy.
The good Commissioner could do worse than read Danyl at the Dim Post who translates technical stuff to English:
Labour registered another site called healthyhomeshealthykiwis.org.nz, also hosted on this server. But when you visited this address you didn’t see a normal web page – you saw a directory listing of the Labour Party web server. This let you browse Labour’s server and read any file you wanted, just as you can with your own computer.
This is considered so undesirable and such an egregious breach of security that the web server software Labour uses (Apache) disables directory listing by default. You have to go into a configuration file and switch it on manually. So I guess that’s what they did.
It gets worse. All organisations back up their sensitive data – usually onto a backup server and/or tapes, which are then kept in a highly secure location. Confidential data like, say, financial records are always encrypted and password protected. But someone in the Labour Party decided to back up their donor database onto their web server – the only server in their organisation accessible to the general public, so by definition the last place you’d put any backup files.
So all you had to do was enter healthyhomeshealthykiwis.org.nz, click on a few directories and you could download Labour’s unencrypted donor database.
Like the Darren Hughes fiasco, this is yet another sign that Labour is not a healthy organisation. It’s a party of perpetual incompetence that’s in deep denial about this obvious fact – to them they’re always the innocent victims of endless right-wing media conspiracies. A party that cannot run itself should not be allowed anywhere near the machinery of government.
If someone really had hacked the Labour website, exploiting a recent vulnerability, then my attitude would be very different. Few websites are immune from a totally dedicated expert hacker. But this is the exact opposite of that – this is listing all your private files on the frontpage of a website.