Pullar admits to hacking ACC

The ACC debacle gets murkier and murkier. It todays’ Dominion Post Bronwyn Pullar, through her tame journalist, has admitted to installing malicious code at ACC in order to track her case from within.

Ms Pullar sent Dr Smith’s emailed letter to Ms Parker-Dennis on July 14. Ms Pullar forwarded the email using computer software that allows her to track each time her email has been opened and who it is subsequently forwarded to.

Ms Pullar is now demanding answers as to why her former case manager re-viewed Dr Smith’s letter four times between March 13 and March 19, the day before the New Zealand Herald published details of the contents.

Ms Parker-Dennis opened the letter three times the day before the story broke, Ms Pullar said.

She believes Ms Parker-Dennis had no legitimate reason to re-read the letter, given that she was no longer her case manager, days before its contents were leaked.

People have been wondering how she got sent the ACC spreadsheet that contained the names and addresses of more than 6000 claimants. I don’t think we need to wonder too much anymore.

These types of malicious code (malware) can also allow screenshots of what is open at the time, and the logging of keystrokes, and even the surreptitious emailing of attachments. It seems Bronwyn Pullar has hacked into the ACC systems in a calculating, premeditated and malicious manner.

The funny part is Labour has been dying in a ditch protecting her and and Michelle Boag when is it now clear from Pullar’s expose to Phil Kitchin that she was sitting at her computer in Auckland watching their every move through a piece of malicious code:

Ms Parker-Dennis reopened Dr Smith’s letter at 12.37pm on March 13. It was the first time she had opened the document this year, Ms Pullar said. “She had no business going back into my file because if she was looking for the email containing the mass privacy breach ACC had been clearly told that was an email sent to me, not one I sent to them.”

The email tracking software Ms Pullar attached to Dr Smith’s email shows it was received by Ms Parker-Dennis on July 14 last year. Ms Parker-Dennis forwarded the email to three senior ACC managers.

 The wonder is that an experienced investigative journalist has fallen into the trap of running the story of a hacker. If I were the Police investigating this case I would be serving warrants on Bronwyn Pullar and also Michelle Boag to grab their computers. Since Boag has worked very closely with Pullar it is possible that they used the same type of malicious code to try and set up Judith Collins.

THANK YOU for being a subscriber. Because of you Whaleoil is going from strength to strength. It is a little known fact that Whaleoil subscribers are better in bed, good looking and highly intelligent. Sometimes all at once! Please Click Here Now to subscribe to an ad-free Whaleoil.

  • pidge

    The “embedded code” is usually just a linked 1×1 pixel image, so when you open the e-mail on an e-mail client like Outlook, the image is “shown”, triggering the download of the image from the web server.  The act of requesting the image reveals all sorts of information to the web server the request is made to.

  • Gomango64

    I think she might have been using email management software like mailchimp. Not quite malware or hacking.

  • Petal

    Stretching a long bow here I think Cam.  I wish you were right though.  I think Pullar and Boag need to suffer a non-recoverable blow from this saga.  So far they’ve done more damage to the National Party than all of the opposition combined.  

    With friends like these…

  • Berend de Boer

    +1 pidge; this is not hacking, it’s simply retrieving an email. She can only see if someone opened the email with a client that displays html email and has external images turned on.

  • Adybombs

    What was ACC’s IT spend last year?  Shitloads!!  It is disturbing that despite all those dollars a private individual with limited resources can track who opened an email and when from the outside.  How many other government departments are this leaky?  

  • Peter Wilson

    The more we find out about Bronwyn the more confused I am getting.

    Is she a lion hearted women taking on the beast of ACC? Any skullduggery taking on a behemoth like a government department can probably be forgiven in any case.

    Or is she a rather sad person, afflicted with psychological injuries through accident, who needs to move on with her life, and not drag other people into her world, with unfortunate consequences?

  • John A

    Ms Pullar is obviously a total fruitloop. Not her fault, she’s had a brain injury and not recovered well. The media should stop reporting on her fantasy rants and get on to some real news.

  • Petal

    “Ms Parker-Dennis reopened Dr Smith’s letter at 12.37pm on March 13”

    How  do we know “Ms Parker-Dennis reopened”?  Even if a computer is designated to one specific person, how do we know it was a specific person at the keyboard at the time?

    The fact that Pullar is claiming specific people opened a document instead of saying “and someone at the computer on XYZ’s desk” suggests that either she’s making shit up and the media are taking it as gospel (hey, it’s filing column inches, facts are irrelevant), or Cam is right and the software/method employed by Pullar is in itself a story.

    If a disaffected ACC “client” can do this to a Government Department from home, what does it say about the general systems security around Parliament?

    My money is on Pullar making shit up.  Boag will have told Pullar that making these unsubstantiated claims will be safe enough, as either 1) ACC will bring their own logs, which then become an interesting source for further digging, or 2) ACC will only “deny” it, which means the lies stand unopposed, and 3) this sort of technical stuff is WAAAY beyond the public’s understanding or interest to pursue.

    It’s a pretty low risk approach from Pullar’s end.  Especially since reason and a sense of proportion seems to have left her.  Boag and Pullar make shit up, the media publish it without a single mention of how unlikely it would be, and essentially the “fact” is born.

    This wouldn’t be happening if Boag and Pullar didn’t have the media on a leash.  I’m just sitting here waiting for this thing to run out of steam so the media will turn around and get started on those two “ladies” to fill column inches.

    •  Perhaps that’s why there was a note of triumph in Collins’ voice yesterday when she said that computers would be fornsically examined, and that she welcomed such a move…

      • Petal

        … “when you’re explaining, you’re losing”?

    • jay cee

      or just maybe the media are aware of what is really going on and are just giving boag/pullar, and by connection, collins, more rope.

  • Bob

    Here’s hoping Crusher includes ‘Teh Standard’ in her defamation action, they have been wetting themselves with excitement and making all sorts of accusations. Would be most entertaining to watch them implode!

  • Roland S

    Bronwyn Pullar is a really tragic piece of work and Michelle Boag is equally sick to be maliciously expanding on and pandering to the little stories.   Both of them need to be seriously censored and made to account for their actions with regard to ACC – the whole issue is a minefield! I don’t think for one moment that Pullar is stupid, but she is certainly dangerous, disruptive and very bitter – doesn’t she get it that life is a journey of great things and not so flash things happening – she is not the only person to have suffered after a bad accident – go check out Burwood or any other hospital in the land.. In fact she would be well received to help work with some of those folk on their rehabilitation.  Put your experiences to work lady instead of trading on them and feeling sorry for yourself..

  • Guest

    I dont see any problem with making sure that YOUR OWN emails only go to people intended and monitoring who else people send your correspondence without permission. I must find out how it is done.

  • Rolla

    Crap Whale, if this is hacking then the police are going to be mighty busy busting all the hackers wearing suits i.e business people who regularly use email tracking software to check if emails are bieng read and passed on as they need to be, or passed to where they shouldn’t.

    If one didn’t know better, people could suggest that there’s a reason why you dislike pullar so much. I get why you don’t like boag, no one does, but why the over egging of the hate for pullar, when she does enough on her own to bring it all crashing down, without you being missleading.

    I wrote to Maryan Street when she was ACC minister about my claim troubles with ACC, and she got a senior ACC manager to ring me and appoligise for the lack of progress on my case, and their general uselessness. Should she have been forced to resign too? Have I done something wrong, after exhausting all the normal ACC processes and getting nowhere, and then out of frustration writing to the minister?

  • Petal

    I mean, no matter how much this blog and its readers dislike how this is going, and have declared Boag an incompetent for it, you have to admit that she’s managed to direct this play very, very well so far.  

    Boag and Pullar are the ones lobbing the grenades at such a rate that the media have no time to actually investigate the veracity of any of it.  They’re out of breath just reporting the day to day goings on as orchestrated by the Fantastic Two.

    Boag may not be a friend of the National Party, but if she manages to do this without the media turning around and chewing her up, you will have to admit she’s a PR expert of Machiavellian standard after all.  Who cares about some collateral damage – oops, oh well, moving along.  Not going to hurt her prospects – she will get the job done “no matter what”.

    Come on MSM, grow some balls.

  • A-random-reader

    pidge is absolutely correct about the method used to track emails. Every time the email is opened, the email client automatically retrieves the linked image from a web server and it’s trivial to check the server logs to see:

    a. What date & time the image was downloaded.
    b. What IP address has accessed the image.

    If the same IP address is used repeatedly to access the image, it’s reasonable to conclude that the same computer is being used to access the image (government sites generally don’t use NAT gateways).

    There’s no need to use malware.

    • Petal

      And how would this indicate the exact *person* reading the email?

      • Rolla

         Well unless the government cut ACC’s budget so much that ACC staff have to share computers, and given we haven’t read about it in the media, one can safely assume it hasn’t happened.
        So we have to assume whoever opened the emails had access and the logons to that computer, the only way it wouldn’t be Ms Parker-Dennis, is if she had given her password to someone else, which I’m sure would be a breach of ACC policy, and potentially client privacy, and thus make her liable for termination from employment.

      • A-random-reader

        It doesn’t reveal the exact person.

        But it is a reasonable assumption.

      • Eli

        The only way it could be multiple people is if ACC claim handlers are in a open plan, hot-desk office environment. 

        Though I’m sure they could see who was logged into that machine at what time, depending how long they keep their logs.

  • Dave

    I’m waiting for the Fed’s to arrive in their black SUV’s and helicopters followed by our constabulary in their trusty Holdens to investigate PullarGate”, and that she used a computer network as a carrier to relay sensitive information back to herself.   All Dotcom style of course.   

    Lets not forget Pullar was originally trying to blackmail ACC with its own data, instead of simply returning it.   She has cast a brilliant smokescreen.

    • “Lets not forget Pullar was originally trying to blackmail ACC with its own data”

      So its now a fact is it Dave?

      I did’nt realise the Police had finished their investigation/s and had charged her with blackmail …. in fact, I didn’t even know this had been in front of the Courts already!

      People like you, whaleblubber, and Demott Nothingham (Lauda Finem) twist the facts to make yourselves look intelligent and knowledgable but in reality, you all are much like ACC, Aon NZ Ltd and others who have scammed ACC claimants. Check out accforum.org and acclaim-waikato.org cheers

      • Callum

        Lets be clear, there is no possible justification for Pullar retaining that data other than as leverage. If she was really concerned about the privacy of others it would have been handed directly to the privacy commissioner to start an investigation, why sit on it for 7 months? The answer to that is the answer to whether she was simply using it to benefit herself which would reflect very very badly on her.

  • Evan Johnson

    Whaleoil, this is a really long bow.  If it were possible to do all the things you say with e-mail, we’d all be doing it.  I simply don’t see how Bronwyn could be a hacker.

  • Sadu

    Assuming we are talking about a tracking gif and not an actual malware script, I don’t see the problem. Every opt-in newsletter you receive has this kind of tracking built in – if you don’t want to be tracked, it’s just a matter of setting your email client to not open images by default.

    One shouldn’t draw too many conclusions from the output of the tracking script, but it’s another form of evidence that will help with the investigation.

  • SHG

    Based on what was said, here’s what I picture. At least, this is how I would’ve done it.

    1. Place the spreadsheet on a publicly-accessible-but-hidden server. A public folder within Dropbox would be perfect.

    2. Send the email to the desired recipient through an email-tracking service (Campaign Monitor, MailChimp, Constant Contact, etc etc) and include in the email a link to the downloadable file.

    That’s the only way that the sender can say with any certainty “the spreadsheet was accessed on this day at this time”. A file attached to an email is in the possession of the recipient from the moment the email is downloaded and any opening of that attachment is invisible to the sender, but the downloading of a file that resides somewhere else is a trackable event.


    1. Such services do not reveal the identity of third parties to whom the message has been forwarded. They can’t. So a statement like “Ms Parker-Dennis forwarded the email to three senior ACC managers” is not one that can be proved or disproved through an email-tracking service.

    2. Such services can not tell the sender what human persons have read an email or downloaded a file, they can only identify that a particular email sent to a particular email address has been opened. 


    – message is sent to John Smith ([email protected])
    – message is opened by John Smith (the system records that [email protected] has opened the email)
    – message is opened by Jane Doe while at John’s computer (the system records that [email protected] has opened the message a second time)
    – Jane forwards the message to three other people who all open it (the system records that [email protected] has opened the message three more times for a total of five times)

  • Work for a living

    “It seems Bronwyn Pullar has hacked into the ACC systems in a calculating, premeditated and malicious manner.”

    See WO this is where you undo all the good work pointing out the deceit of MUNZ and the like. And simply come across as a rambling troll.

    Go Google tracking email. Look at the programmes, both free and paid, that allow people to track emails sent. It’s not that hard. Not as salacious sounding as hacking I know, but then would people still be drawn to your blog if it’s full of stuff simply plucked out of your arse ?

    How do I know  about tracking emails ? I use it myself.

  • Rbob201

    What she did can’t be considered malicious software nor hacking. It happens millions of times daily across NZ alone with company and private emails.

  • Ed Snack

    Yep, way over the top re malicious software Cam. Unless of course you have some “secret” information that proves your assertions ?

    I’d say this is very close to libel, accusing Pullar and Boag of committing a crime that isn’t.

  • Polishpride

    For someone who spends as much time on a computer as you appear to Cameron your IT knowledge apperas to be somewhat lacking to say the least – Malicious software …? Not back here on planet Earth. Ed is bang on with his comment. 

  • mystery

    Bronwyn Pullar is actually a hero martyr – especially to the majority of ACC claimants. How many of you – if you had a fat bank account – would bother with all this rubbish just because youre so fed up with the bullying and threatening behaviour from ACC towards the valid ACC claimants? She is working for all of us, seeking justice – and good on her for having a heart to expose corruption, and help others less fortunate than herself.

     ACC is currently the biggest taxpayer SCAM in NZ history! Its a cash cow for the government. Thats why they use ‘its’ funds to build a prison, play the stockmarket, buy up properties, pay big bonuses to ACC case managers, while neglecting their very purpose of existance. Theyre supposed to be rehabilitating the victims of crimes, and accidentally injured citizens of NZ.

     Is judith Collins going to sue every ACC claimant, because I can assure you, the things we are saying about her, and the skulduggerous ACC are far worse than the 3 people she attempting to sue at the moment have said or implied.

    This site is very obviously a Pro National Public Relations fiasco.

    God is on the ACC claimants side right now, so youd better watch what you say and do, as this skulduggerous corruption WILL be fully exposed. Bronwyn has our support, and we are going to help her take it right through to the end.

    Godbless us all.

    • Roland S

      What a lot of nonsense – Judith Collins has only recently taken over ACC as a portfolio she has more on her mind right now than to be thinking up ways to make life difficult for ACC claimants.  Admittedly there are big problems in the organization and if anyone can fix that it’s Ms Collins so thank your lucky stars that we have strong, determined leadership from a woman who is continually demonstrating that she takes no prisoners and gets solid results.  Thankfully way too smart for the likes of Pullar.

    • Sponge

      It would appear your head injury is causing you a few issues as well.

  • Brucey

    Wow talk about conspiracy theories coming out of your head. If I was you I would get your facts right before accusing people of hacking computer system. As a computer technician I am fully aware of a site that tags your emails and tracks each and everytime the email is opened or forwarded on. It is not spyware in any form. Go and have a look at readnotify.com your self and you may learn some knowledge that would make your posts factual.

  • EC

    Even if she magically ‘hacked’ rather than using tracking software, all this would do is highlight a huge security hole in ACC’s system. I maintain several large business networks in my job, both of which get slammed with malicious emails every day, and not once has something unintentionally slipped through the net of what is essentially off the shelf security software, you are essentially saying that ACC failed to spend $2-3000 on email security software.

    That said, this could have been avoided, as you can easily set most email filter systems to strip out tracking images.

  • davcav

    EC, how could she have known who it was who accessed her e-mails from tracker software?

    Do you know of any trackers that resolve the IP to MAC?

    I would have thought that a network the size of ACC would be running DHCP without reservations for standard users. How would tracking software identify the person opening the e-mail?

    Don’t forget, Pullar was very specific who it was who opened the e-mails.

  • Brucey

    Hey Blubber Oil have a read you drip

    Note: ReadNotify.com does not use or contain any sp‌y-ware, ma‌l-ware, nor vi‌rues, it is not ill‌egal to use, and does not breach any pri‌vacy reg‌ulations in any countries.

    ReadNotify offers an email certification feature which will digitally sign your email and insert a timestamp certificate. This certificate irrevocably links the body and headers of an email to the date and time they were despatched – and may be offered as court admissible evidence if required. The option to send Certified emails is available on your ActiveTracker plugin, or by manual extension.

    ReadNotify will endeavour to provide the following in your tracking reports:
    Complete delivery details Date and time opened Approximate geographic location of recipient Map of location (available on paid subscriptions) Recipients IP address Referrer details (ie; if accessed via web email account etc) URL clicks How long the email was read for How many times your email was opened If your email was opened on a different computer (such as forwarded)

    • johnbronkhorst

      Do you own the licence to this software…because it sounds like you are trying to sell something!!

  • Pingback: ACC Forum, ACC Focus, just who was behind Pullar’s ACC Trojan? « Lauda Finem()

  • Brucey69

    Are you another conspiracy theorist ????? Nope I do not own the software, I used my brains and resources and found the software on the net which any person in this world can pay for in order to monitor or track emails, i then used my abilities to copy and paste the info into a posting to show blubber oil what a dick he is to accuse people of hacking when he clearly has no knowledge to the capabilities of software that is available

    It also totally contradict blabber oils comments that Pullar has installed code onto ACC’s computers or hacked their computers. But hey if people want to believe a tosser who makes comments like that when he has no true knowledge of the real world then I suppose I have to say good luck to all the suckers who believe in him.

    I hope he doesnt go and cry on Collins shoulder now lol

  • Dear WhaleOil – Hacking? – duh! You’re an idiot. John Key loves idiots like you because they vote for him!

  • By the way, ACC also track the emails they send. They can also “re-call” emails.

  • unicorn

    Lots of the comments here are based on ignorance. ACC is corrupt. This is a fact. No one made it up. Its a fact.

    If you, or your child, or mother, sister, or brother, gets raped, or brain damaged because of a drunk driver, or some other criminal or accidental injury, then you would soon discover exactly how corrupt they really are!

    And good on Bronwyn for getting the ball rolling towards an investigation into ‘its’ corruption.

    At the end of the day, good WILL conquer evil, and the corruption of ACC WILL be revealed.

    A full and thorough enquiry is exactly whats needed here. And then ACC, and its staff, need to be made accountable for ALL their wrongful and abusive actions towards claimants, and the gross misuse/abuse of taxpayers money! 

    Pray for the Auditor-General to order a full investigation.

    Bring it on!!!

  • Anon Guest

    Email tracking has nothing to do with malware.  Emails you write are yours – just because they wind up in someone else’s inbox, does not change that fact.  You wrote, and by the rules of copyright law, it remains yours.  Better – copyright law grants you specific permission to use technological means to protect your copyright, and makes it a crime for anyone else to remove your protection from your works.

    Good on ’em for having the foresight to track their emails, and keep an eye on the resulting mischievous activity!