A USB stick with sensitive information about 1200 clients of a life insurance company - including personal bank account details - has been stolen from an employee's car.
Fidelity Life chief executive Milton Jennings said the stick had been in an employee's satchel which he left in his car as he attended a meeting at the company's Lower Hutt office.
"Unfortunately somebody broke in and stole the satchel. They probably threw it away but as a precaution we had to contact police, the Financial Markets Authority and the Privacy Commissioner, and also the clients.''
He said the information related to Fidelity Life's recent acquisition of Tower Health and Life and contained details of people who had investments with Tower.
"Probably the worst situation was details of investments that they held,'' he said.
There were also personal bank account and other details on the stick.
It did not contain information about Fidelity Life customers or their policies, Mr Jennings said.
He did not anticipate anything would happen as a result of the breach and suspected the thief had just thrown USB away.
"We just had to make sure that we informed everyone in case anything unusual did start happening with their bank accounts or any of their investments.
The employee who left the stick in his car had been with the company only a few months,
He had been stood down while the matter was reviewed, Mr Jennings said.
The company sent a letter to affected customers offering its sincerest apologies.
"I would like to assure you that the confidentiality of our clients is of the utmost importance to us and we are extremely concerned this incident occurred,'' it said.
A spokesman from the Office of the Privacy Commissioner said they had been contacted by both Fidelity Life and the Financial Markets Authority about the breach.
"We are aware of it and as far as we know Fidelity Life are following data breach guidelines,'' the spokesman said.
"They've done the right thing by telling us that it's happened and hopefully they will do everything appropriate to mitigate the damages.''
He could not comment on the potential seriousness of the breach.