New Zealand regulator confirms privacy breach affecting complaints documents

New Zealand’s Financial Markets Authority (FMA) today apologised for a privacy breach that made complaints documents sent to the regulator between 2015 and 2017 potentially accessible through Internet searches.

A preliminary review has identified 27 instances where documents that supported complaints were accessed by online searches. The documents were inadvertently uploaded to a portal on the FMA website. Of these, six contained sensitive personal information such as financial information. The remaining documents were either already publicly available or did not include any sensitive personal information.

The regulator has contacted the people involved to advise them of the issue and any further steps they should take to protect their information.

The FMA explains that it first learned of the issue following a media inquiry on October 21, 2019. The regulator immediately shut down its website to ensure all information was protected. The website was restored on October 23, 2019, after the FMA had confirmed no further confidential information was at risk.

The issue relates to documents that were provided to the FMA several years ago, and the regulator is still investigating the circumstances. An initial review indicates that information supplied through an online complaints form between 2015 and 2017 flowed into a folder holding information to be uploaded to the FMA website.

The regulator notes that, at no point was the information ever linked to public content on the FMA website, nor could it be located by browsing the website.

The FMA has worked closely with the relevant government agencies and departments, and has hired KPMG to assist in its investigations into the cause and extent of the incident.

As a precautionary step, the FMA has removed the ability to upload complaints information via the website.