Commerce Commission CEO Adrienne Meikle and Chair Anna Rawlings address media after stolen computer equipment incident Posted by nzherald.co.nz on Monday, 7 October 2019

More than 200 transcripts of meetings and interviews carried out by the Commerce Commission have been stolen during a burglary, sparking serious security concerns.

The documents - many of which are confidential - were on a computer belonging to an external provider that was stolen during a break in.

Commerce Commission chair Anna Rawlings has fronted the media, saying the commission will work with police, explore legal avenues and contact the businesses that keeps its documents secure to review their security.

Rawlings did not say how many people were affected by the security breach or whether the burglary of the documents was deliberate.

She said the commission had a long term relationship with the third party company that was keeping its data on secure servers.

However, she did not reveal the name of the company, saying it was important to protect the integrity of the police investigation and any of the people possibly affected by the privacy breach.

She said she was aware of two other Government agencies using the same company for third party data storage, but was not aware whether those agencies had now severed ties with the company.

Rawlings said the commission was preparing an application for the court to protect the privacy of the stolen documents.

When asked whether the theft was a targeted hack or burglary, Rawlings said the third party company had told the Commission that digital devices had been stolen in a physical burglary.

She said she wasn't aware of any of the stolen information having been disseminated online.

The commission said the third party company had not met its expectations when it came to the security and maintenance of the sensitive data stored on its servers.

When asked how damaging the consequences would be if the information was made public, Rawlings would only say that the devices contained confidential information.

She said the commission first acted to notify those it thought had been affected by the privacy breach when first told of the burglarly, which date back several years, last week. After that it explored its legal options and then notified the media.

The commission had now contacted all the other companies it used to store confidential information to seek assurances about their security.

The information on the stolen computer does not include any documents or general consumer complaints provided to the Commission.

The Commerce Commission is working with Police to recover the computer and sensitive information in it.

It has also severed its contract with the external provider who admitted it had failed to meet its obligations to store the information securely and delete it after use.

Commerce Commission chief executive Adrienne Meikle said the Commission was in the process of contacting those affected to discuss the details of the potentially leaked information.

Some of the information is subject to a confidentiality order issued by the Commission under section 100 of the Commerce Act, which made it a criminal offence for any person in possession of the devices or information from the devices to disclose or communicate it to anyone.

"We are also exploring other potential legal avenues to help protect the confidentiality of the information," Meikle said.

"While this breach has resulted from criminal activity and our provider failing to meet the obligations we placed on it, it is our job to keep sensitive information safe and we apologise unreservedly to those affected. We acknowledge the distress this incident may cause businesses and individuals who have provided information to us in confidence."

Commission chair Anna Rawlings said two separate independent reviews were underway including one led by QC Richard Fowler looking at the circumstances that led to the security breach and another by KPMG to review its information handling processes.

"Information security is crucial to our role and it is vital that those who interact with us can be confident in our ability to protect confidential and commercially sensitive information. "

The reviews were being overseen by the commission board and the findings would be made public once they had considered them.

A Police spokesperson confirmed there was an ongoing investigation into a burglary at a residential address involving an external provider to the Commerce Commission.

A number of items of electronic computer equipment were taken containing sensitive information relating to Commerce Commission business.

"The nature of the investigation means that we are unable to provide any further information at this time."

Police urged anyone with information about the burglary or the computer equipment to contact them.