NFA Membership List Exposed on the Internet — Personal Information Privacy is a Corporate Responsibility

NFA-Website-LogoGuarding personal information is a corporate responsibility and one that must be taken seriously by both individuals and the companies they do business with.  This fiduciary duty was, unfortunately, broken by Canada’s National Firearm Association on their website, NFA.ca.

The news broke on the Canadian Gun Nutz forum on September 22, 2013 at 02:23 AM in a post titled “NFA Membership - Full Names visible to public” after the original poster notified the NFA about the security leak on their website.

I noticed today that full names of people who purchase NFA memberships are visible to the internet public. I don’t want to post the url, but I found it today searching various things. I’ve sent an email to the NFA about it,” wrote CGN user mstoetz1.

The leaked information was removed from the NFA’s website by Sunday morning, although cached copies of the data were still available through Google’s search engine cache if you used certain search terms.

CGN user Over_Kill wrote:

NFA and/or their web company need to fix this ASAP. Over 4,600 names on that list with first/last names, contribution amount, and date of contribution. No address information though (and thank goodness).
Just out of curiosity, I picked a unique name at random (something I thought was a rare name), plugged it into Google with the word “guns”, and found a “like” on facebook for a firearms company in Ontario, that lead me to the facebook profile of the person on the list, and his address (town/province only). It was a small town, so a quick trip to canada411.ca with the name and town, got 2 listings for that name in that town with address and phone number.
As I said, the NFA list doesn’t contain address or phone number information, but anyone wanting to find that information could do so for at least some portion of the list, and with reasonable accuracy.

This obviously was not done on purpose, as no organization willingly posts the names of their members online without first obtaining permission, but it does highlight the necessity for every organization to take privacy seriously, something the National Firearms Association, or at the very least Chameleon Creative, the NFA’s web services provider, did not.

Shawn Bevins, spokesperson for the NFA, wrote:

The information has been removed and no information has been compromised, according to our admin log none of this information was downloaded or copied.

Unfortunately, Mr. Bevins is not a security professional, nor does he know much about what an admin log will or will not show.  CGN User Alter3D set him straight, however.

Firstly, thank you for your quick action in dealing with this when the problem was brought to light. That’s probably one of the fastest, most professional responses to a security problem that I’ve seen -- and I deal with a lot, since I work in IT.
That said, my IT knowledge also calls “bollocks” on your claim that none of the information was downloaded or copied. Every single person who viewed that list “downloaded” it, even it it stayed in their web browser, so if you’re claiming that no one downloaded it, I can tell you, categorically, that you’re wrong, because at least 4 people in this thread (myself included) have “downloaded” it to view it in their browser. Your “admin logs” would have NO WAY to know if someone copy/pasted it out of their browser and into, say, Excel.
If you mean that people’s personal details like address, credit card info, etc was not compromised is a different issue that I would be willing to believe, but the list as exposed by the OP was definitely downloaded and could have been easily copied.

Shawn Bevins tried mitigating the NFA's public relations nightmare but he only succeeded in digging himself and his organization a bigger PR hole.

Our system tracks all IP address's that access our site and logs those addresses, we will pull every single IP address that gained access to the NFA\ORDER page going back to 2010 .We will then run an IP finder report to know where the hits came from. Finding out who accessed the page is easy. Stealing private information including copy & paste is a crime. If anyone here has saved information found on this link, we require that it be destroyed immediately. There are copyright disclaimers on our web page and those rights will be enforced.

The National Firearms Association posted their membership list publicly, if unintentionally.  Anyone accessing that publicly-available data isn't stealing anything. Bevins claim that anyone "stealing" private information would be charged with a crime is completely missing the point.  This is the NFA's failure and nobody else's.

There is no copyright infringement by accessing this readily-available information.  It is, however, a violation of the National Firearms Association's own privacy policy, which states in part:

Canada's National Firearms Association (the Association) is committed to protecting the privacy of members whose personal information is held by the Association through responsible information management practices.  Any personal information provided to Canada's National Firearms Association is collected, used and disclosed in accordance with the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the Freedom of Information and Protection of Privacy Act (BC Personal Information and Privacy Act -PIPA).

The fault here is NOT with anyone who accessed supposedly confidential data, but with an organization that claimed to take the protection of personal information seriously and did not.  Pointing fingers at others for their own mistake simply won't cut it.

CGN user Over_Kill put it best when he wrote:

Absolutely horrendous security on the NFA's part. Why is this info even on an outward facing server in the first place?
What the NFA should be doing is giving a VERY humble apology to EVERYONE LISTED ON THAT PAGE, and soon. Yes, my name was on that page as well, and this astounding failure on the NFA's part will make me think long and hard before I renew my membership in an organization that clearly (in my opinion) doesn't take security and privacy seriously.

Privacy and security of personal information is not joke. Every organization must take that duty seriously.  It is unfortunate that the National Firearms Association and/or Chameleon Creative did not.

They are, however, to be commended for taking action quickly as soon as they were made aware of the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

*