IRD under fire for taxpayer data leak to Meta

IRD disclosed the full name, email address, postcode, and telephone number using custom audience lists. Photo / file

 

Inland Revenue’s apology for giving Meta, the owner of Facebook, the names, addresses, and other contact details of 268,000 taxpayers is “not good enough,” according to a Tauranga resident who wishes to remain anonymous.

“There should be compensation,” they said.

Data was shared with social media platforms using custom audience lists to better target customers regarding their entitlements and obligations, Peter Mersi, the commissioner of the Inland Revenue Department (IRD), said.

“In the course of our work, we are required to make every effort to contact customers about their entitlements and obligations,” Mersi said.

“That requirement is included in our legislation, and it’s what drives our efforts to use the most effective and efficient means of communicating with people.”

The IRD began using social media in 2013, using platforms like Facebook more often to liaise and communicate with taxpayers, as it had considerable success.

As of November 4, 2024, Mersi promised not to supply de-identified or hashed customer details to social media platforms for targeted advertising.

The leaked information contained an address, name, full name, email address, postcode and telephone number, he said.

“There was no tax information, no IRD number, no income. It was just those details,” he said.

Mersi promised that those details would not be shared with the technical team at Meta and that the shared information would be deleted afterwards.

No humans interacted with each other as the data was shared, machine to machine, according to Mersi.

At that stage, all they knew was that creating a customer list and the appropriate advertisements did not happen until the list had been completed.

According to the IRD, the only other time that information was shared was via LinkedIn.

Emails were initially given but were later expanded to include first name, last name and country.

“What we had not appreciated because this (information) goes into a box, and that’s when the hashing and the secure transfer occurs,” Merci said.

“We had not appreciated that only the email was being hashed, so the other information was being transmitted raw.”

This information was shared from 2020 onwards, but Merci said IRD would have stopped the practice if they had known about the unintended breach.

Mersi admitted that obtaining the data would allow anyone to create large data tables, targeting those whose information was leaked.

“I think the most concerning finding was that we had had an unintended disclosure,” he said.

“The first of those events was with Meta.”

The unintended disclosure was only discovered after an Official Information Act request, according to Mersi.

“The second one with LinkedIn was discovered as part of the review process.”

IRD’s practice of sharing encrypted data with social media saw 8,000 taxpayers protest, fearing their data would be at risk.

“Of the 8000 people we’ve already responded to, 400 of them were included in the list of 268,000,” Merci said.

The IRD had been leaking taxpayers’ data to overseas tech firms “beggars belief,” Taxpayers’ Union Policy and Public Affairs Manager James Ross said in a press release.

New Zealanders have been assured that everything is okay because the data was hashed. However, the Taxpayers Union said the IRD misled the public about the protection the process provides.

“IRD’s data protection is so bad, social media staffers are able to access information from the tax administration system,” Ross said.

“That alone is a blatant breach of trust for New Zealanders who must entrust IRD with their data.”

Deputy Privacy Commissioner Liz MacPherson said she is very disappointed to learn that Inland Revenue shared identifiable personal information with social media platforms in at least two instances.

“Given the nature of their work and the fact all New Zealand taxpayers must interact with them, it’s important that IR upholds the very highest privacy and confidentiality standards.”

”What is particularly concerning in this case is that IR apparently had no idea that these incidents, including the intentional sharing by IR staff of identifiable personal details of 268,000 New Zealand taxpayers with social media platforms, had occurred,” MacPherson said.

Based on the information available to us, it is unlikely that the breaches are notifiable under the Privacy Act. However, the fact that the data of so many people was shared inappropriately is troubling, and OPC will seek further information about the incidents that emerged during this review, MacPherson said.

- SunLive

2 comments

Not good enough

Posted on 08-11-2024 07:42 | By an_alias

All who approved that decision in IRD and ANY other party should be fired.
ALL OF THEM NEED TO GO


Very disappointing

Posted on 09-11-2024 16:33 | By morepork

I ead the article several times and I can understand that IRD are committed to reaching people, but they obviously have no concept of the way that social media platforms use the information they get. Neither do most of the people who use the platforms, so they are astounded when they discover leaks like this. (You should know that Facebook has facility to hold several thousand data points about each and every subscriber, inluding your children's names, your pets' names, your extended family's names, your shopping patterns and much more besides. Furthermore, they harvest this information from third parties, and don't even necessarily ask you straight out. With AI, the harvesting is becoming even more extensive...). If it bothers you, unsubscribe from Facebook and other social platforms. (Personally, I have never been a member.) We could expect better understanding from people like IRD; their responsibility for privacy is high.


Leave a Comment


You must be logged in to make a comment.