IRD’s data leak was far worse then feared with IRD’s admission that despite earlier public assurances that all taxpayer data provided to social media companies was “hashed”, officials had emailed an unencrypted spreadsheet of taxpayer data to Meta (owners of Facebook) containing sensitive taxpayer information of more than quarter of a million taxpayers.

“Only yesterday, IRD Commissioner Peter Mersi took a swipe at the Taxpayers’ Union and falsely accused us of ‘misrepresenting facts’. But just 12 hours later, we learn that in fact there as a mistake: IRD’s data leak was far worse than anyone had imagined.”

"Since we became aware of IRD using taxpayer information to run targeted social media campaigns, New Zealanders have been assured that it's all ok because the data was hashed.  They mislead the public about the protection that process provides, but at least it was something they could fall back on."

"Now they've come clean that it was a ruse all along. Unencrypted data was being sent by email from the IRD's social media team. It is beyond belief. Email is inherently insecure."

“Somehow, IRD’s data-protection is so bad, social media staffers are able to access information from the tax administration system. That alone is a blatant breach of trust for New Zealanders who must entrust IRD with their data.”

“IRD are trying desperately to down play this. They claim there is 'no risk of serious harm' when in-fact any foreign actor or sophisticated cyber criminal can easily penetrate a unencrypted email."

"This is the most serious breach of taxpayer information in the English-speaking world. None of our sister taxpayer groups are aware of anything near this scale or seriousness.”

“Commissioner Mersi’s comments to the media yesterday, political attacks, and lack of straight answers suggests that he has either been misled by his staff or is deliberately obfuscating the seriousness of the issue. Either way, heads must role.”

© Scoop Media