Detectives are believed to have obtained hundreds of banking records using an "unlawful" exploit even though police headquarters admits it still has no idea as to the extent of its rogue intelligence gathering.
Barrister Felix Geiringer said it was highly likely there would be multiple instances of "unlawful" access after a landmark opinion from the Privacy Commissioner.
"There are hundreds of these out there, we think, and people don't even know it has happened."
Questions over the extent of the police database of banking records emerged after activist and journalist Martyn Bradbury found detectives had obtained his banking data without a warrant.
Police did so while investigating the identity of the hacker Rawshark, the source for the 2014 election bombshell book Dirty Politics, and used a section of the Privacy Act which allowed banks to waive privacy if it will assist "maintenance of the law".
Bradbury, who denies any connection to or knowledge of the hacker Rawshark, complained to the Privacy Commissioner who found police acted unlawfully and that detectives should have gone to court for a warrant to access such personal information.
Geiringer studied the police practice when it emerged police had used it to obtain banking information belonging to his client, Dirty Politics author Nicky Hager.
In that case, the Privacy Commissioner found it was unlawful for the bank to provide the information.
In Bradbury's case, it was found that it was unlawful for police to ask without providing a court order because the information was so personal and sensitive.
Geiringer said every person by law had a "reasonable expectation of privacy" while people also had - through section 21 of the Bill of Rights Act - protection from unreasonable searches.
He said the Bill of Rights Act would have been breached in other cases where police got banking records using the Privacy Act exception without supporting evidence existing when they could have got a warrant.
Geiringer said it had been well established for hundreds of years that banking information was deeply private and that banks would guard access to that information.
Bradbury has taken the Privacy Commissioner's finding to the Human Rights Tribunal - as Hager did with the ruling on his bank. The tribunal has the power to prosecute and award compensation.
A Police National Headquarters spokeswoman said it had yet to "consider the full impact of the Privacy Commissioner's ruling".
She said there was "no centralised system that records the number of times police may have obtained such records".
The system didn't exist because "there is currently no business requirement to do so" - the same answer then-assistant commissioner Malcolm Burgess gave in early 2015 amid an outcry over police using the exploit to get bank, electricity, travel and other records without a legal order.
Burgess said at the time: "While the Privacy Act provisions can be used to access low-level information, such as basic account details, higher-level data must be obtained through a production order."
The spokeswoman said "potentially sensitive data" police obtained was held in secure case files in the police computer system which had tightly controlled access.
The banking industry body - the NZ Bankers' Association - also had no idea how many times personal banking records had been obtained even though it was the organisation charged with liaising between its members and police.
In a statement, chief executive Karen Scott-Howman said the NZBA had arranged the "letter of agreement" between banks and police which stated "both parties have a common goal of working together to reduce crime".
She said it was the banks' view that information could only be provided to police lawfully.
"Any allegations of unlawful conduct should be referred to the relevant authorities."
A statement from the office of the Privacy Commissioner said the Bradbury case could not be described as a precedent.
"Each of our investigations is limited to the specifics of that case. This means that we cannot extrapolate from this case to other instances in which Police have secured the voluntary co-operation of a business."
The NZ Herald exposed the practice in 2013 and found at least one major bank used the police requests as a "red flag" warning over customers.