A woman was shocked to find the details of an unknown baby had been added to her online Inland Revenue account and to receive a $240 back-dated payment for the child.
Katie, who doesn't want her last name used, said she received an email from the IRD last week to say her circumstances had changed but it wasn't clear to her how they had changed.
When she went online to check her myIR account she saw a 4-week-old baby boy had been added to those names under her care and as a result she had been paid four weeks of the Government's Best Start payment.
"It was a bit a of a shock seeing a child's name that I didn't recognise being in my care all of a sudden."
She immediately emailed the tax department to let them know of the mistake but as of Monday morning had yet to hear back from them.
"It is just a pain because now I've got to muck around and give it back to them. I still haven't heard anything - but maybe today hopefully, but who knows?"
Katie said she felt bad for the parents of the child who were missing out on the money and had also had a privacy breach of their child's details.
"I would personally be really annoyed...the parents are probably counting on that money, having a little month-old baby. It shouldn't happen.
"Every new baby in New Zealand is entitled to this payment, no matter what. So it is quite a big deal knowing you are going to receive that money."
She said it was shocking that the baby's date of birth, full name and tax number had been sent to a complete stranger.
"Somebody has got to be held accountable for it. There is a lot of stuffing around for everyone whoever has mucked it up."
A spokeswoman for the Inland Revenue sent a response on Monday afternoon stating: "Inland Revenue has taken all necessary steps to correct and resolve this error and apologised for the inconvenience and delays it caused."
The IRD didn't answer questions on how the privacy breach had occurred.
The spokeswoman said giving any further detail would mean breaching the IRD's confidentiality obligations under section 18 of the Tax Administration Act.
She said the IRD did not report the breach to the Privacy Commissioner as it did not meet the requirements for reporting as it was not likely to cause serious harm, was a one-off case with nobody else involved or affected and the affected parties had been communicated with and the matter resolved.