The office of the Privacy Commissioner says it will be another month before it can shed any light on a security breach involving thousands of Telecom customers' personal details.
Power Marketing, a marketing company working for Slingshot, has been accused of accessing the telco's Wireline database, which contains customers' personal information, including the plans customers were signed up to and how much they paid for them.
The database does not give access to credit information or calling histories.
Former employees have also questioned Telecom's security policies and one former staffer said he could still look up customer details despite having left his job more than two months ago.
Assistant privacy commissioner Katrine Evans said enquiries were progressing well, but the level of information that needed to be collected meant it could be another month before an investigation was completed.
"There's quite a lot to do - we have three parties to talk to and everybody with their own point of view so it's just going to take a little while to sift through exactly what has happened," she said.
Evans said the office's investigation had centred on whether there were adequate security procedures in Telecom's database to protect personal information.
It was also looking at whether Call Plus and Power Marketing collected people's personal information and, if so how it was used.
Telecom wouldn't comment on the investigation when contacted, but has previously said it has detailed security polices and practices that it reviews regularly.