NZ Commerce Commission discloses data leak

By Dylan Bushell-Embling
Wednesday, 09 October, 2019

New Zealand's Commerce Commission has warned that more than 200 meeting and interview transcripts, some containing confidential business information, have been exposed following the theft of computer equipment in a burglary.

The potential data leak has arisen as a result of the theft of equipment belonging to one of the Commission's third-party suppliers, the regulator said.

The supplier has advised the regulator that it failed to meet its obligations to ensure that information from the Commission was stored securely and deleted after use. As a result, the Commerce Commission has terminated its relationship with the supplier.

The regulator's own network and systems have not been breached, and the potentially purloined information does not include any documents or general consumer complaints provided to the Commission.

Commerce Commission CEO Adrienne Meikle said the regulator is in the process of contacting affected businesses to discuss the details of the information potentially compromised.

"Some of the information is subject to a confidentiality order issued by the Commission under section 100 of the Commerce Act,” she said.

"This makes it a criminal offence for any person in possession of the devices or information from the devices to disclose or communicate it to anyone while the orders are in force. We are also exploring other potential legal avenues to help protect the confidentiality of the information."

Meanwhile, the regulator has launched two independent reviews into the potential data leak, including engaging KPMG to review the regulator's information-handling practices.

Meikle said that while the breach arose from a criminal act and the failures of the third-party supplier to meet its data protection obligations, the buck stops with the commission.

"It is our job to keep sensitive information safe and we apologise unreservedly to those affected. We acknowledge the distress this incident may cause businesses and individuals who have provided information to us in confidence," she said.

"Information security is crucial to our role and it is vital that those who interact with us can be confident in our ability to protect confidential and commercially sensitive information."

Image credit: ©iStockphoto.com