The Financial Markets Authority is investigating how six cases where sensitive personal information provided to the regulator may have been accessed by third parties.
The finance industry watchdog was left scrambling to shore up its online privacy settings after the Herald revealed that emails relating to a confidential complaint were published on the FMA's website.
The Government agency had to shut down its website while undertaking a thorough review after the Herald informed the regulator of the privacy breach following a tip-off from the public.
• FMA shuts down website after privacy breach revealed
• Kathmandu investigating month long privacy breach
• Security breach: Computer with confidential Commerce Commission meetings and interview transcripts stolen
• NZTA admits data admits data breach after lax security
The FMA today apologised for the breach that meant complaints documents sent to the regulator between 2015 and 2017 were potentially accessible via internet searches.
Chief Executive Rob Everett said the issue was rectified immediately when the regulator became aware of it, and reassured the public that any information provided to the FMA was now held confidentially.
He confirmed there were six cases where personal information was published, while a preliminary review had identified 27 instances where documents that supported complaints were accessed by internet searches.
The documents were inadvertently uploaded to a portal on the FMA website, he said in a statement.
Of these, six contained sensitive personal information such as financial information. The remaining documents were either already publicly available or did not include any sensitive personal information.
The FMA has contacted those people involved to advise them of the issue and any further steps they should take to protect their information.
"We apologise to those people who supplied us with information and also to the wider public for this error. Their trust and confidence is critical to us," Everett said.
The FMA first learned of the issue following the Herald's inquiry on October 21. The regulator immediately shut down its website to ensure all information was protected. The website was restored on October 23 once the FMA had confirmed no further confidential information was at risk.
"Our immediate focus was to ensure our systems were secure and to protect people's information," Everett said.
"We have reviewed what files were uploaded in this way, what information they contained and contacted those people whose sensitive personal information may have been accessed.
"We are working hard to ensure we get to the bottom of the issue."
The original confidential complaint information related to a former registered financial adviser called Daniel Carlyon.
Financial Service Provider Register details showed a Daniel Harry Carlyon-Johnson was registered trading under Finsol Insurance in Hamilton from September 2013 until November 2014 and then under Aspire Advisors in Auckland's Takapuna from January 2015 to October 2015.
It included emails from and to Gareth Dobson, a business insurance adviser who covers the Hawke's Bay area for insurance, and mortgage broker firm Finsol where Carlyon had worked.
The FMA said it was still investigating the circumstances and has engaged KPMG to assist in its investigations into the cause and extent of the incident.
"However, an initial review indicates that information supplied through an online complaints form between 2015 and 2017 flowed into a folder holding information to be uploaded to the FMA website.
"At no point was the information ever linked to public content on the FMA website, nor could it be located by browsing the website."
Everett said a full review of the issue would be conducted by an independent external party.
As a precautionary step, the FMA has removed the ability to upload complaints information via the website.
Everett said anyone with questions about information they have provided to the FMA should contact the regulator.