6 Nov 2024

Inland Revenue's apology for privacy breach of people's details questioned by taxpayers'

10:42 am on 6 November 2024
No caption

IRD sent an emailed apology to 268,000 people who it found had their privacy breached. Photo: Supplied

Taxpayers have more questions for IRD after it wrote to them to "sincerely" apologise for a privacy breach of taxpayers' details.

The department revealed that in October, it discovered a breach of 268,000 people's details, during a review of its decade-old practice of marketing by supplying taxpayer information to Facebook and other social media platforms.

This review was only undertook after RNZ reported on it, after which 8000 people complained.

In an emailed apology on Tuesday to all those people, IRD said, "we value your privacy and are disappointed this incident has occurred. We sincerely apologise."

But one taxpayer responded: "Given that this breach happened back in February, I'm frustrated that IRD has taken so long to tell me.

"As a result of this, I trust IRD a lot less."

The breach on 8 February involved a marketing campaign to people who might have had a tax bill due, IRD said.

Another taxpayer told RNZ the letter stated details were sent to Meta as it was to target those with a tax bill.

Moscow, Russia, 29-07-2023: New Elon Musk's twitter X app on smartphone screen surrounded by other social media network apps. Twitter rebranding. Modern social media communication.

Taxpayers personal details were shared with social media platforms. Photo: Victor Okhrimets / 123RF

"I did not have a tax bill this year, I had a refund. So what sort of systems do they have that are sending my details to Meta when I obviously don't owe tax?"

A third person who got the apology was concerned IRD claimed it was passing on personal information to "fix a problem".

IRD had routinely been sharing the details of up to hundreds of thousands of taxpayers many times a month via a "hashing" encryption automated process, with Facebook, Instagram, Google and LinkedIn, to closely target tax marketing campaigns.

In the apologies RNZ has seen, IRD said an individual's name, email addresses, phone numbers, date of birth, age, country and city of residence were shared with Facebook's parent Meta on 8 February 8 2024.

'The [unencrypted] information was shared directly with Meta support because we were trying to fix a problem with a custom audience file," the apology said.

"This is a file of people that we needed to reach to inform that they may have a tax bill due.

"We incorrectly emailed an unprotected copy of the file to Meta support," deputy commissioner of enterprise service, Mike Cunnington, said.

Afterwards, IRD asked Meta to delete the file.

"They confirmed the information was securely deleted once the problem had been fixed. The file was not used for any other purpose."

One of several taxpayers who contacted RNZ about the apology, said they were unhappy about the breach.

"I don't trust Meta to respect our personal information or Kiwi privacy law, and I suspect that Meta will use our information to sell ads.

"I'm disappointed that IRD was passing information to tech companies without giving me the option to opt out. I think this should be opt-in, not opt-out."

IRD Commissioner Peter Mersi said on Tuesday he did not think trust would have been damaged in any way.

"I want people to understand that if something goes wrong, we will be upfront about it."

The mass privacy breach - and one other breach - were discovered during an internal review sparked in September by RNZ reporting IRD's data-sharing practices with social media companies.

In the second breach, unhashed personal information and company information was uploaded to LinkedIn.

This was "minor", did not involve sensitive information and was not likely to cause anyone serious harm, IRD's review said.

It had been unable to quantify or identify the taxpayers involved.

IRD said neither breach was serious enough to warrant reporting them publicly or notifying customers, but it was apologising anyway, and had told the privacy commissioner in order to "prioritise transparency" and maintain trust.

The deputy privacy commissioner said: "What is particularly concerning in this case is that IRD apparently had no idea that these incidents, including the intentional sharing by IRD staff of identifiable personal details of 268,000 New Zealand taxpayers with social media platforms had occurred."

IRD is maintaining its entire approach to data-sharing for marketing via social media was safe and appropriate, but in its apology said it was stopping anyway.

"This means we no longer provide customer information to social media platforms."

It only stopped because of public opinion, after it got 8000 complaints, Mersi said.

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.

Get the RNZ app

for ad-free news and current affairs