Research company hack

Research company hack targeted business billing information

A security breach occurred when research company Gravitas, contracted by Police to conduct customer satisfaction surveys, was hacked. Police systems were not involved.

Gravitas reported the hack to Police as a crime and we are conducting a criminal investigation. The hackers appear to have been seeking business billing information in order to defraud companies.

We are confident any risk to people is low. Police did not provide any financial or password details from individuals to the research company. Most information we provided to Gravitas is already in the public domain and consists of names, phone numbers and addresses. We also provided a short description for why a person has contacted us eg burglary, disturbance, lost property. More serious events are not included.

Gravitas is an approved All of Government provider. Staff at the research company are police vetted and we are confident there are no integrity issues with employees.

Questions and Answers relating to the incident

I called 105/111/*555 recently. Should I be worried?

 

We sent a selection of callers’ details to the research company. There is a small possibility that yours may have been included. We advise everyone to follow safe online practices. These include:

  • Be cautious about emails or phone calls asking you to update or verify your details online
  • Be cautious of emails saying you’ve won prizes from competitions that you don’t remember entering
  • Be cautious of emails that try to get you to act quickly by threatening you with legal action or loss of an account
  • Ignore any emails asking you to provide personal information like passwords, or banking information
  • Remember legitimate organisations like banks will never ask you to send them your password
  • Only open email attachments when you’re expecting them, even if you know who the sender is
  • If you’re unsure if an email is from a legitimate organisation, you can contact them to ask. If you do contact them, make sure you go through their official contact channels – don’t use the phone numbers, websites or email addresses included in the email.

I reported a crime online recently. Should I be worried about the safety of my details?

 

We sent the research company contact details of a selection of people who reported to us online. There is a small possibility that yours may have been included. We advise everyone to follow safe online practices. These include:

  • Be cautious about emails or phone calls asking you to update or verify your details online
  • Be cautious of emails saying you’ve won prizes from competitions that you don’t remember entering
  • Be cautious of emails that try to get you to act quickly by threatening you with legal action or loss of an account
  • Ignore any emails asking you to provide personal information like passwords, or banking information
  • Remember legitimate organisations like banks will never ask you to send them your password
  • Only open email attachments when you’re expecting them, even if you know who the sender is
  • If you’re unsure if an email is from a legitimate organisation, you can contact them to ask. If you do contact them, make sure you go through their official contact channels – don’t use the phone numbers, websites or email addresses included in the email.

Are Police systems secure?

 

The security breach occurred when a research company that Police uses was hacked. Police systems were not involved.

 

Why was Police conducting service quality research?

 

It’s important for us to know about people’s service experience when they telephone us or report online. We use what people tell us to make sure our services are the best they can be. We want to deliver the standard of services that New Zealanders expect and deserve.

 

What information was sent to the research company?

 

We sent a social research company contact details of a random selection of people who called 111, *555 and 105 and who reported online.

We sent name, phone number and physical address of people who telephoned us – this is information mostly available in any phone book (e.g. Whitepages). We sent name and email address of those who reported online. The information also included the category or code for the interaction, for example burglary, lost property or wilful damage.

No information about the actual details of the interaction, record of the call or outcomes was shared.

 

Why did you use a third party to conduct the research? Why didn’t you do it yourself?

 

We used an independent research company so people could feel free to be frank in their feedback. The researchers talk to people who have called or reported online about their service experience on our behalf.

The research company then provided the results to us in an anonymised way so no individual was identified. The research company was chosen for their expertise and experience in conducting this type of research.

 

Is Police still sending contact details to the research company?

 

No - we have stopped all public surveying with this company.

 

What is Police doing about the security breach?

 

The research company reported the hack to Police as a crime. We are conducting a criminal investigation. This will help us better understand what, if any, information was taken and to identify the person/people responsible. We have stopped all surveying.

 

Can I find out if my details were included in the hack of the research company?

 

We are unable to identify individuals whose information may have been taken in the hack. We advise everyone who is concerned to ensure they are using secure practices. You can find helpful information at Netsafe and DIA Identity fraud.

 

How many people are surveyed each year?

Researchers either call people or email them a questionnaire to fill out. During the year, researchers talk to around 4500 of our telephone customers and analyse about 1200 self-completion questionnaires from online customers. The information gained from the research helps us improve the services we provide. We are very grateful to the people who are prepared to assist us in this way.

Press releases: