More than 200 transcripts of meetings and interviews carried out by the Commerce Commission have been stolen during a burglary, sparking serious security concerns.
And the company responsible for storing the documents has told the Commerce Commission it doesn't use "password protection".
The documents - many of which are confidential - were on a computer belonging to an external company that was stolen during a break-in.
Commerce Commission chair Anna Rawlings fronted the media, saying the commission has contacted the people likely affected by the privacy breach as it continues to work with police investigating the crime.
The Commission was also exploring legal avenues to block the publishing of the stolen documents and had contacted other third-party businesses storing Commission documents to review their security.
When Rawlings was asked if she knew whether the "stolen laptops had passwords", she said the company the documents were stolen from had told her that they do not use password protection.
She did not say how many people were affected by the security breach or whether the burglary of the documents was deliberate.
The Commission had previously had a long-term relationship with the storage provider company.
However, she did not reveal the name of the company, saying it was important to protect the integrity of the police investigation and privacy of people possibly affected by the breach.
She was aware of two other Government agencies using the same company for third party data storage.
But she did not know whether those agencies had now severed ties with the company.
Rawlings said the Commission was preparing an application for the court to stop anyone publishing the stolen documents.
When asked whether the theft was a targeted hack or burglary, she said the third-party company had told the Commission that digital devices had been stolen in a physical burglary.
She said she wasn't aware of any of the stolen information having been published online.
The Commission was unhappy with the third-party company, saying it had not met expectations for storing sensitive data.
When asked how damaging the consequences would be if the information was made public, Rawlings would only say that the devices contained confidential information.
The Commission's first step when told of the burglary was to notify those it thought had been affected by the breach. Rawlings said some of the stolen documents may date back to 2016.
After contacting those affected, the Commission explored its legal options and then notified the media.
It had now also contacted the other companies it uses to store confidential information to seek assurances about their security.
Rawlings said the Commission has copies of the stolen documents. But she wouldn't speak about the details contained on the documents.
Nor would she reveal how many people the Commission had contacted to warn they may be victims of a privacy breach.
The response from many of those contacted by the Commission had been supportive, she said.
The information on the stolen computer does not include any documents or general consumer complaints provided to the Commission.
The Commerce Commission is working with police to recover the computer and sensitive information on it.
It has also severed its contract with the external provider who admitted it had failed to meet its obligations to store the information securely and delete it after use.
Some of the information is subject to a confidentiality order issued by the Commission under Section 100 of the Commerce Act, which made it a criminal offence for any person in possession of the devices or information from the devices to disclose or communicate it to anyone.
"We are also exploring other potential legal avenues to help protect the confidentiality of the information," Commerce Commission chief executive Adrienne Meikle said.
"While this breach has resulted from criminal activity and our provider failing to meet the obligations we placed on it, it is our job to keep sensitive information safe and we apologise unreservedly to those affected. We acknowledge the distress this incident may cause businesses and individuals who have provided information to us in confidence."
Rawlings said two separate independent reviews were under way, including one led by QC Richard Fowler looking at the circumstances that led to the security breach, and another by KPMG to review its information-handling processes.
"Information security is crucial to our role and it is vital that those who interact with us can be confident in our ability to protect confidential and commercially sensitive information. "
The reviews were being overseen by the Commission board and the findings would be made public once they had considered them.
A police spokesperson confirmed there was an ongoing investigation into a burglary at a residential address involving an external provider to the Commerce Commission.
A number of items of electronic computer equipment were taken containing sensitive information relating to Commerce Commission business.
"The nature of the investigation means that we are unable to provide any further information at this time."
Police urged anyone with information about the burglary or the computer equipment to contact them.