Are your financial records safe with Xero? [UPDATED]

Rodney Hide explains that maybe your financial records won’t be safe with Xero after revealing that Xero has handed over financial records to the Official Assignee outside of the law.

Is this Xero’s VW moment?

Are your financial records safe with Xero [NZX:XRO]? Or would Xero do a Westpac and release them to state agents on simple request without warrant?

Xero CEO Rod Drury has always said safe. He again reassured NBR readers in July that Xero never releases customers’ financial records to state agents.

Mr Drury said Xero refers requests back to the customer for the information required.

“We are the custodians of our customers’ data,” Mr Drury said.

But one customer knows different. Last year Xero passed her company’s records to state agents, they had no warrant, Xero didn’t tell her, and, indeed, when she asked, Xero denied it.

Deputy Official Assignee Annemarie Foidl had asked Xero to supply the customer’s “user name” and “password” citing s171 of the Insolvency Act 2006. It wasn’t just the records she wanted but access. For a month.

We don’t know what then transpired but we do know Xero “supplied [the Official Assignee] with a report showing the credits and debits of each account connected to the subscription.”

Xero didn’t tell the customer.   

That is outrageous. Some more details.

The customer is my friend Kristina Buxton. Her husband, the bankrupt Dave Henderson, is not a shareholder, office holder or employee of her company.

Ms Buxton has not been accused of doing anything wrong. Neither has her company.

It seems the Official Assignee just wanted to have a look. And Xero let them.

The law is clear. The Insolvency Act 2006 provides the Official Assignee the power to issue Ms Buxton a s171 notice seeking documents relating to her husband’s “property, conduct or dealings.” The Official Assignee can also examine company records under s182 but only for those companies for which the bankrupt is an “associated person” and only with court authorisation, that is, a warrant.

The act provides the Official Assignee no power over third parties for company information.

It would seem the Official Assignee bluffed Xero into release, just as the Police bluffed Westpac.

On her inquiry, Xero’s customer service told Ms Buxton, “I can confirm that no one other than the invited have accessed your Organisation AFB Treasury Ltd.”

That wasn’t true. Once Ms Buxton had established incontrovertible evidence she went back to Xero.

Its in-house lawyer, Matt Vaughan, explained the team member “was not aware that information had been provided to the Official Assignee.” So much for Xero’s reassurances.

Mr Vaughan’s response to Ms Buxton’s complaint is that, “these are matters for you to address directly with the Official Assignee, and not with Xero.”

For Xero, Ms Buxton’s complaint is with the Official Assignee for asking, not with Xero for giving.

And what does Mr Drury say? “Our team looked at this and is confident on our position.”

That’s despite Xero’s actions being in direct contradiction to his public assurances.

I am a customer of Xero, and given the attacks on my data in the past this leaves me with little confidence. I can well imagine with the false complaints laid against me with the Police and IRD and WINZ that there may well have been requests made to Xero, and now that I know that they hand over data without checking with the customer it leaves me feeling a little cold about it all really.

I am going to ask these questions directly of Rod Drury. He needs to sort this out very quickly because this could well become Xero’s VW moment.

 

[UPDATE]

Rodney Hide asked Whaleoil to add the following

11

222

 

– NBR

 


THANK YOU for being a subscriber. Because of you Whaleoil is going from strength to strength. It is a little known fact that Whaleoil subscribers are better in bed, good looking and highly intelligent. Sometimes all at once! Please Click Here Now to subscribe to an ad-free Whaleoil.

Tagged:
  • axeman

    Absolutely!! Your business is keeping other peoples personal and business data, this is nobodies business bar the owner of the data Full Stop. I hope Ms Buxton sues.

  • Really?

    A major Benefit of cloud storage is “Your information can be accessed quickly and easily from anywhere”.

    A major Drawback of cloud storage is “Your information can be accessed quickly and easily from anywhere – potentially by anyone”.

  • Boondecker

    Very concerning – as I use XERO too.

    XERO had better have some answers for this… or their concern will not just be that they haven’t made a profit yet (ever).

  • Seriously?

    I wonder… you may end up owning Xero (and Ms Foidl) an apology…

    Mr Henderson is the 100% shareholder of FTG Trustee Service Ltd. FTG Trustee Services Ltd is the 100% shareholder of AFB Treasury Limited.

    As such, the bankrupt is the owner of the company whose records were obtained, not his wife (she is the sole director of both companies, that may be because his bankruptcy prevents him being the a company director, there might be other reasons I don’t know).

    s171 provides ” In addition to the power contained in section 165(1)(b), the Assignee may, by notice in writing, require the bankrupt, the bankrupt’s spouse, or any other person to deliver to the Assignee any document relating to the bankrupt’s property, conduct, or dealings in that person’s possession or under that person’s control.”

    It may well be thought that the documents relate “to the bankrupt’s property”, since he owns the company. If that is the case is seems no court order is necessary, and that Xero did what they are obliged to do.

    Now this is not my area of expertise, so I may have missed something. Happy to be corrected.

    • Rodney_Hide

      The company owns a company’s records, not shareholders, and then bigger issue to me is Xero never advised the customer the records were to be released and subsequently conveniently and mistakenly denied the release.

      What occurred is in direct contradiction to Xero CEO Rod Drury’s policy of advising state agents to go to the customer direct for the information.

      Even if Xero believed they had to release there was nothing preventing them advising their customer first who on seeking legal advice would have reached a contrary view.

      Also, why didn’t Xero report a state agent’s attempt to use statutory power to obtain the username and password?

      Trust this helps.

      Rodney

      • Seriously?

        Thanks, and yes and no. I do agree that it would have been good for Xero to advise the company what it had done (as opposed to seek its permission).

        In the case of bankruptcy (as I understand it) the assignee effectively becomes the bankrupt in situations like this, and as such this is not like “the state” invading his privacy – more like he is doing it himself. While that may seem draconian, it may be fair enough given that the bankruptcy process leaves many creditors short of what they are owed.

        It still seems to me that the board definition of “property” in the act (“property means property of every kind, whether tangible or intangible, real or personal, corporeal or incorporeal, and includes rights, interests, and claims of every kind in relation to property however they arise”) may be enough to mean that his 100% ownership of the company makes the property of the company his property for the purposes of the act. It would make sense if it does as it would prevent you hiding information (no pun intended).

      • Time For Accountability

        Rodney – check if the Xero database was established directly by the company in which case it will own the data and Xero effectively hold it in trust.

        I would love to be proved wrong. But I have been lead to believe if the database Was established by an Xero partner the data is owned by the partner.

        If true and it is the latter it would change how to approach the matter.

        In either case Xero seem to hold the data on trust.

        • Rodney_Hide

          My understanding is the company established the database.

          Rodney

  • Time For Accountability

    I would ask these two additional questions.

    Who owns the data in the situation that a customer uses Xero after being signed up by a Xero partner such as an accountant and that client then wishes to change accountants or take the database over personally?

    Do partners such as accountants get kickbacks or benefits in any form that could be considered under the Secret Commissions Act?

    • peterwn

      Q1 – that should be covered in the agreement. A professional would generally have a ‘hold’ over client’s files, data, etc if any fees owing.
      Q2 – such kickbacks etc would not be covered by the Secret Commissions Act. This matter has been ‘sorted’ with regard to financial advisers and perhaps this includes accountants. A ‘Secret Commission’ is a fancy term for ‘bribe’. An employee (or individual partner) of an accountancy practice would be guilty of receiving a ‘secret commission’ from (the likes of) Xero, but not if the partners received it collectively or knew that individual partners received such payments/ benefits.

      All professionals nowadays would be wise to advise clients that they may receive a commission from a recommended service provider.

  • Justme

    I would think that the passing over of direct access to a company’s accounts is in direct contradiction to any investigation.
    Any subsequent claims of impropriety or theft are immediately tainted by the secret access provided.
    Just imagine, the police impounding a vehicle that was suspected of being used in a robbery, and then we find out that the police also had a set of keys to the car for several months prior to impounding. All evidence would be discredited.

    • Eagerly awaiting who done it

      Yes did the police do the robbery…or did the owner?

      Very messy. I would assume as stated above that read only access would have removed any possibility of tainting the “evidence” if any is gathered.

  • Hey happy to respond.

    Rodney has been communicating these issues on behalf of his friend Dave Henderson to Xero for several months. The purpose of this article, which is factually incorrect, can only be to deliberately cause unfair reputational damage to Xero which is frankly very disappointing for a former New Zealand business and political leader.

    Our position is clear. Xero takes privacy very seriously. It is core to our business. We strive to look after the interests of our customers.

    We have acted entirely appropriately and according to law and provided what we considered to be the minimum information required under law. This is in line with our privacy policy and current industry practice. We have offered that this particular matter be discussed with the Privacy Commissioner.

    Where possible and appropriate, we will notify affected individuals if we are compelled at law to provide information, but in limited circumstances we are not able to legally do so. In this particular case, we were required to provide information without notification to certain affected individuals as it related to ongoing legal investigation.

    It is not appropriate for Rodney to use his position as contributor in this magazine to advance the interests of a friend and subvert any legal process.

    The internal effort and expense we have put into this matter should give our customers confidence in how seriously we take our responsibilities to keep their information private and secure.

    Hope this alleviates any concerns.

    Rod
    CEO of Xero

    • Rodney_Hide

      Thanks Rod.

      To be fair Xero has been communicating with Ms Buxton for some months to no satisfaction to her. You and I have swapped only two emails.

      Ms Buxton despite repeated requests to Xero has still not had advice of what Xero released, why it was released, and why Xero never advised her of the release. Indeed, Xero initially advised her there had be no release.

      Xero’s response has been to wash its hands of responsibility and simply and repitively advise Ms Buxton to take the issue up with the Official Assignee.

      There is no statutory obligation upon Xero not to advise the customer.

      I am not subverting any legal process.

      Please advise readers of the factual inaccuracies you assert.

      Yes, I stick up for my mates and make no secret of that. I also have a long history of sticking up for people’s rights.

      And I would have thought given that you told me “Our team looked at this and is confident on our position” you would have no problem with you customers knowing what Xero did when asked.

      I should note that in my email to you I advised I was Dave Henderson’s friend and write for the NBR and Herald on Sunday.

      Best

      Rodney Hide

      • Seriously?

        It does appear that one rather important error in what you have been told is that Mr Henderson is a shareholder of the company in question, albeit through another company. From my limited research, that seems to be rather important in regard to the exercise of the s171 non-warrant based rights.

        He owns 100% shareholding of FTG Trustee Service Ltd. https://www.business.govt.nz/companies/app/ui/pages/companies/1361929?backurl=%2Fcompanies%2Fapp%2Fui%2Fpages%2Fcompanies%2Fsearch%3Fmode%3Dstandard%26type%3Dentities%26q%3DFTG%2520Trustee%2520Service

        FTG Trustee Services Ltd is the 100% shareholder of AFB Treasury Limited. https://www.business.govt.nz/companies/app/ui/pages/companies/2262586?backurl=%2Fcompanies%2Fapp%2Fui%2Fpages%2Fcompanies%2Fsearch%3Fmode%3Dstandard%26type%3Dentities%26q%3DAFB%2520Treasury

        • Rodney_Hide

          With the greatest respect that’s not a “factual inaccuracy”. I never claimed otherwise. It’s an irrelevancy as I have already explained to your previous post.

          FTG trustee services Ltd is a corporate trustee. It does not own anything including the shares in AFB Treasury Ltd. All of this was explained to and accepted by the Official Assignee five years ago.

          Not the requests for information now post don’t assert the power you attribute to the OA.

          Hope this helps.

          Rodney

          • Seriously?

            I’m a bit of a novice re insolvency law, so thank for your thoughts on that. I’m a bit more comfortable with trust law and I think we might need to agree to disagree about where legal ownership rests when property is held in trustees capacity (if as you and the name suggests that is what FTG was doing).

            Whether it was right to disclose the information to the Assignee, and whether it was wrong not to tell the company you had done so, are two separate questions. I might agree with you on the latter, but that is not the issue which concerns me the most (it seems more like a customer relations question to me).

            The request you posted cites s171, which is the power I refer to, which doesn’t need court authorization. It does not cite s182, the exercise of which does need Court authorization as you point out.

          • Rodney_Hide

            Yes. And section 171 only concerns the “property, conduct or dealings” of the bankrupt — not the accounts of a company.

            The Ministry of Justice were very clear on the narrowness of the power in their advice to the Attorney General in 2006 when the legislation was updated and the AG was very clear to Parliament.

            The plain reading of the Act is also clear.

            Here’s the link to the Officials Advice:

            http://www.justice.govt.nz/policy/constitutional-law-and-human-rights/human-rights/bill-of-rights/insolvency-law-reform-bill

            Note para 51:

            “In addition, the Assignee’s search powers are subject to the following further checks and balances:

            the documents that individuals may be compelled to provide to the Assignee only relate to the bankrupt’s ‘conduct, dealings or property’;[9] and

            the bankrupt has a right to inspect and copy various documents held by the Assignee, including the bankrupt’s accounting records, statement of affairs, answers to prescribed questions, and records of oral examinations.”

            Cheers

            Rodney

          • Seriously?

            Thanks, that’s an interesting read.

            It seems to take us the full circle: If Mr Henderson owns 100% of the company (via his 100% ownership of the Trustee company which owns 100% of the AFB shares) then the broad definition of “property”, as used in s171 and which I set out in another comment, may (I say may as it is not my field of expertise and I’ve only done limited research on it) make warrant-less search under that section appropriate: the company records relate to the bankrupt’s property (being the company). If not then I’d tend to agree with you that it is a s182 situation and needed a warrant.

            That is what I have been saying all along. But it seems I think the ownership structure of the companies may have a different legal effect than you think.

          • Rodney_Hide

            Yes, and ultimately such matters are up to the courts where this matter is no doubt heading.

            But aside from the legal issues it’s disturbing if a customer of Xero. Mr Smith with his boxes of company records out back starts to look attractive!

            The Cloud is altogether too handy!

          • Seriously?

            I’ll be interested to see the outcome of any Court consideration of the issue.

            I guess I’m a little concerned that if you and others are wrong, and people like me, Xero, and the Assignee are right, then the damage that is now being done to Xero cannot be undone.

          • Rodney_Hide

            1. Xero have had two months privately to explain themselves and haven’t despite promising to do so.

            2. If Xero had gone to the customer first the matter could have been legally resolved before the information was released.

            3. If Xero and the Assignee are wrong, how does that damage to the customer get undone?

            4. Where companies and individuals have simply said no to the OA’s requests, the OA has not pursued them. She obviously is not very confident of the position asserted.

            best

            Rodney

          • Rodney_Hide

            PS I had another point. I think we can both agree that the Official Assignee is not entitled to the customer’s username and password? Yet that’s what she asked for. If she was wrong about that ….

          • Seriously?

            No. She asked for a user name and password to enable review. That could (should) be one created for the purpose, and I would expect read-only.

          • Sun Tzu

            You’re leaving a lot to chance there. Those assumptions are foolish. It is a cardinal sin to provide a customers user name & password to anybody. How was the customer to know anybody was snooping? How would they know to change the password at the expiration of 30 days? Internet 101. Xero have err’d here…big time. Its concerning as I am a Xero customer. I feel like writing to them to get expressed assurances

    • Kevin

      I understand a company can be compelled by law to provide a user’s username and password. Is it Xero’s policy to provide the police or other such authority with a user’s name and password only when required by law or it their policy to provide such information whenever requested by the police or other authority and at Xeros’ discretion?

    • DangerousDave

      Hi Rod

      1. You gave access to a customers data to a state agency without, it appears, the legal requirement to do so.
      2. You failed to notify your customer of this release, yet there appears to be no legal impediment for you to have done so.

      On the information available thus far, the actions of Xero are a clear breach of trust. I am naturally a fair minded person, and I will see how this unwinds over the next few days, but in the absence of evidence to contradict my understanding, I will be withdrawing my (albeit small) business from Xero.

  • richard.b

    This is interesting. Could the following very long bow be drawn:

    Xero is a cloud based storage system that contains private information and states it is secure and no one can access it.
    It appears that is not the case and others can potentially access your personal data.
    If some of that data is copyright, could that breach copyright laws?
    Did Xreo do this knowingly?
    Is this similar to MEGA?
    So, therefore, is Rod Drury really Kim Dotcom?

    • Seriously?

      Rod is only half the man Kim is… in a literal sense that is. I can see Rod fitting into a Kim suit, but the other way around may be a recipe for a lard based explosion.

    • Kevin

      Rod Dury is definitely not Kim Dotcom. In fact if I recall correctly when Kim flung an insult at Rod, Rod responded back by pointing out that at least he didn’t make his money through dodgy means. :)

  • SnapperW

    If the accounts had been held on her laptop at home the Assignee would presumably have needed a court order to get access. Why should they have the right to snoop around in secret because the information is held in the cloud? Do we have different ownership rights over our own information depending on where it happens to be stored?

    • Rodney_Hide

      You are correct. To access company records section 182 Insolvency Act says the OA needs a court order and even then the bankrupt needs to be an “associated person”. A judge would not have granted the warrant.

      Rodney

  • Kristina Buxton

    Dear Mr Drury

    With respect you are seriously misleading the very astute readers of Whaleoil. That is not becoming of a senior New Zealand business leader.

    You advise: “In this particular case, we were required to provide information without notification to certain affected individuals as it related to ongoing legal investigation”.

    The notice now posted above does not “require” you, in any form whatsoever, to not disclose to me, your customer, that you have given a Government agency, who in turn has misled you, full access to two of my
    company’s accounts and financial data.

    Nor does s171 of the Act prevent you in any way from telling me. You simply decided not to tell me and that is quite contrary to all your public assurances.

    But, worse, I have now written to your office more than 6 times asking, begging actually, for you to tell me exactly what compelled you to not advise me that you had accessed my accounts and handed out all my personal financial information.

    Now, please advise the good readers of Whaleoil exactly what stopped you telling your customer you were handing out her information.

    Thank you.
    Kristina Buxton

  • Saffron

    Mr Drury,

    Xero has received millions of dollars in grants from the NZ government.
    You defend your actions for obvious reasons.

    The question now is, how many times has Xero done this?

  • BigDogTalking

    I would like to know why Xero has the ability to do this at all ever.

    Surely it would be a simple thing to make only the authorized user of the data (the company) be the holder of the password that enables access to the data.

    Xero’s need to program the system and the obvious need for total access to do this does not mean they need any access to the data as far as I can see.

    In the event that you died and others needed the password then presumably they would have the power to reset the password as so many web sites etc do and if they did this behind your back you would be immediately alerted by either an email notification (as google, apple, banks etc do already if something unexpected happens on your account ) or assuming they killed that function you would then still know by the fact that you could no longer log in as the password was changed.

    The fact that they can apparently do this at all is a major security flaw in my view.

    • Muffin

      Yes, Banks cant access your online accounting as they dont even know what your password is.

  • goodwitheu

    Mr. Drury deserves some credit for whipping back on here with a comment so quickly, but it comes across whiffy and feels passed to him by his P.R.

    Good money is paid to the big firm accountants- for example Marriots- because you expect that if the government comes a knockin’ they will have the stones to go into bat for you and tell whoever is asking to take a long walk off a short pier.

    That Xero rolled over without a stoush and then minced around with an explanation will have repercussions for them in the eyes of customers.

  • metalnwood

    Very interesting that the wording of the letter suggests that there is a fishing expedition going on and there is no absolute knowledge of any information in the companies records.

    I find it hard to see that this had to be actioned and with secrecy.

    It is also interesting that the letter is quite vague with respect to this persons interaction with the company and that they could potentially ask for information about any Xero customer linking to an investigation about anyone.

  • Woody

    With this surfacing, I must say I am very pleased that I did not go with Xero as my provider for such services. The services offered by Xero fell well short of my various entities requirements, in short what was on offer seemed all puff and no pastry.

    I did ask and was assured verbally that data, access codes and passwords were inviolable, clearly this is not the case regardless of the butt covering by Rod.

    • Time For Accountability

      Xero – Bad reporting but brilliant marketing.

      The Xero databases i have seen are riddled with user input errors.
      Yes i know – Garbage in Garbage out but the reporting and ability to audit the data is so poor it is dangerous. I have even seen GST claimed on wages, interest and bank fees.

      With a good and accurate data entry person it is acceptable but it is so slow and frustrating to use even on Fibre connections.

      I was listening to a side discussion at a recent tax seminar where firms of accountants regretting putting their clients into it

      Rod –
      How are the profit projections?

      What happens to the users data should Xero be liquidated or placed in receivership?
      What fee level % increase is required to make an acceptable profit?

      • Bea

        ” I have even seen GST claimed on wages, interest and bank fees.” That one’s about user knowledge of GST (or lack of checking), not about the software. The ability to make that error is present in any system.

  • Captain_Hindsight

    Surely handing over the customer’s username & password would allow WRITE access to the accounts, where any sort of meddling could be done?

    At the minimum, READ-ONLY access should have been provided.

    If I was a Xero customer, I’d now have about ZERO faith in their ability to keep my accounts secure from meddling. I think this shows a complete lack of basic understanding of accounts systems from Xero. Or should that be Zero?

  • SJ00

    I don’t see the problem here, I get asked daily for my username and password from all the banks, even ones I’m not joined up to. So they don’t actually know your username and password otherwise why would they be asking for mine, all the time?
    And Nigerian prince’s want to give me millions in google prize draws if I give my username and password. Simply when random letters and emails turn up its rude to not just give the information out.

    No, poor form from Xero. Firstly they shouldn’t have the ability to give out a password, it should be encrypted in the database and appear to anyone as a random string of characters. The fact that they can retrieve it and provide it as clear text, without a warranty is unbelievable. It looks more like a fishing trip than anything else.

  • friardo

    Well not exactly a VW moment, the issue seems at this stage to be confined to one customer, rather than 800,000 in VW’s case.
    Has anyone asked Rodd Drury if he knows of any other similar or identical instance(s) in relation to Xero and it’s customers?

  • Keyser Soze

    Not sure I have too much sympathy that whatever data has been handed over. Seems to me Henderson is using smoke and mirrors and trying to obfuscate an interest in this company. Rightly so the official assignee’s powers appear to be sufficiently broad as to provide blanket coverage of all scenarios like this. Otherwise the law would have to be written in excruciating detail and it would never ever be possible to cover all ownership structures dreamed up by accountants paid vast sums to do so. Better to give more power to the assignee together with proper oversight (I have no idea whether this is already in place) to keep them from abusing those powers. Same approach as SIS, GCSB etc otherwise ratbag fraudsters would be truly rampant.

    Full disclosure – I am a HUGE Xero and Rod Drury fan. Xero are one of the very few NZ companies that could be a massive global success both in terms of the ‘beauty’ of the system itself and the profit potentials of the company. Much of Xero’s success is driven by Rod. Perhaps our greatest ever innovator (well he will be if the company becomes a huge financial success!). It is disappointing to see a few MYOB fanbois taking this opportunity to criticise Xero’s functionality/speed etc and making out there are accountants who regret putting clients on to Xero. What total rubbish. MYOB’s online offerings are archaic and there is really no alternative to Xero if you want a solid cloud based accounting system.

    That said, what concerns me most of all in this case is that Xero have completely dropped the ball with one of the fundamentals in the world of cloud systems. They should never have put themselves into a position where they are able to provide ANY information to ANYONE who asks without going via the customer (i.e. email a reset password). This should be a fundamental design of the system itself. Nobody, and I mean nobody, not even the database admin, should be able to extract meaningful unencrypted customer data, ever. No usernames, no passwords, no transactions, no usage, nothing. Any agent, state or otherwise, who comes to Xero with or without a search warrant demanding information should be given a standard response: “The information you request is not available in an unencrypted form. If you would like an encrypted copy of the customer’s data we can provide that but you will have to obtain the customer’s username and password to decrypt it. We physically do not have access to that information. Have a nice day, Rod”

  • Phooey

    So the bottom line here is that if you use Xero then your data might be shared with a govt organisation. Rightly or not.

33%