The finance industry watchdog has been left scrambling to shore up its online privacy settings after it was revealed that emails relating to a confidential complaint were published on its website.
The Financial Markets Authority has shut down its website and says it is undertaking a thorough review after the Herald informed the regulator of the privacy breach following a tip-off from the public.
• Kathmandu investigating month long privacy breach
• Security breach: Computer with confidential Commerce Commission meetings and interview transcripts stolen
• NZTA admits data admits data breach after lax security
The confidential complaint information related to a former registered financial adviser called Daniel Carlyon.
Financial Service Provider Register details show a Daniel Harry Carlyon-Johnson was registered trading under Finsol Insurance in Hamilton from September 2013 until November 2014 and then under Aspire Advisors in Auckland's Takapuna from January 2015 to October 2015.
It included emails from and to Gareth Dobson, a business insurance adviser who covers the Hawke's Bay area for insurance, and mortgage broker firm Finsol where Carlyon had worked.
Contacted on Monday, before the information was removed, Dobson said the situation was "concerning".
"It is really strange. The FMA are supposed to be protecting people's data. They are doing completely the opposite."
Dobson said he had made a number of complaints about advisers to the regulator over the years but had never given permission for his complaints to be made public.
"There is stuff from old accounts, clients' names. It is not good." He said he would be complaining to the FMA and asking for the information to be taken down.
Dobson blamed the situation on the under-resourcing of the regulator.
"The FMA is completely under-resourced."
The documents also included an email from a business which referred its clients to Carlyon for insurance, Hamilton chartered accountants Maisey Harris & Co.
Nathan Maisey, the business owner, complained about Carlyon's poor service and said it reflected badly on his business.
Maisey did not respond to requests for comment on the privacy breach.
The anonymous person who told the Herald about the information leak said the FMA had "failed to protect the identity of the complainants and the victims of misbehaving financial services companies by making the information available online".
A spokesman for the FMA said the privacy breach should not have happened and it apologised to anyone impacted.
"The document concerned has been removed and the content can no longer be seen."
He said the FMA had processes and policies to protect personal and confidential information.
"We are now conducting a thorough review to understand how this occurred.
In the meantime, we've taken the precautionary step of closing the website while we review the situation."
An FMA spokeswoman said it had been unaware of the breach until contacted by the Herald.
As of Tuesday morning said it was still working on getting to the bottom of the issue and the website would be down until it was 100 per cent certain that the issue had been addressed.