An embarrassing security incident for the Commerce Commission happened five years after a KPMG review warned it about security failings, according to a report released today.
More than 200 transcripts of meetings and interviews carried out by the Crown watchdog - some of them described as "sensitive" - were stolen in a burglary last October, during which a laptop containing ComCom files was taken from the home of a contractor for an external service provider.
The contractor told the Commission they had not used password protection.
The regulator would not say which documents had been stolen, only that it had copies.
The Commission also promised to release results of an investigation to the public - which it has done today with two reports, albeit in heavily redacted form.
One report is by Richard Fowler, QC, and looks into the specifics of the October incident. The second, by KPMG, looks into the Commission's broader information management and security procedures.
Central details remain under wraps.
The identity of the contractor, the nature of their work and various details of the theft were suppressed by the High Court.
In addition, a section 100 order under the Commerce Act makes it a crime to disclose the contents of the stolen files.
"The report finds the external provider was clearly under contractual obligations with regard to information security and the retention and disposal of confidential material, that they understood these obligations and were plainly in breach of them," Commission chair Anna Rawlings said.
Signs that Garmin paid $14m ransom - with NZ company helping out
Online casualties: Why NZ Defence Force sites went dark
Rocket Lab reveals problem that caused last mission to fail
However, both the Fowler and KPMG reports also found fault with various Commission policies and culture - including some "informal" decision-making around security controls. ComCom staff previously leaned on the contractor as a make-shift backup when it needed a copy of mislaid files.
The watchdog has made a number of changes in response, which include:
• Ending the Commission's contract with the external provider.
• Equivalent work is now done in house by Commission staff or on-site by external providers using commission devices.
• Contacting current and past suppliers of services to the Commission to seek assurances they have appropriate security processes and protocols in place and to obtain details of those processes and protocols.
• Recruiting a Procurement Manager to improve contract management, reviewing contracts with external providers to ensure they include appropriate security and confidentiality obligations, and changing the internal contract approvals process.
• Making a number of changes to improve the way information is exchanged with external providers and third parties.
We do learn from the Fowler report that "Contractor C" was highly regarded.
But also that Contractor C's house was also burgled in 2018 - in that instance with no hardware containing Commerce Commission files on the premises.
And that Contractor C had done work for the regulator since at least 2005, but that in mid-2008 there was confusion over whether they had signed a confidentiality agreement.
The confidentiality agreement was then updated at various times as the Commission and the contractor shifted between various media for exchanging files, including email, USB keys, a shared network drive and Box.com.
Confusion over Contractor C's exact security status is a theme throughout the report as it traces the "organic growth" in the contractor's role.
"The pressures of work," meant that Contractor C did not carry out their annual deletion of files at the end of 2018, Fowler notes. In at least three instances earlier, ComCom officials had turned to Contractor C as an unofficial backup after files were mislaid at the commission's end.
Fowler also notes that a KPMG review of the Commerce Commission's IT security systems, released in May 2014, found "the security in place is not in line with the risks posed." Its major recommendations are listed in his report, but redacted.
KPMG's present-day report says relatively right security protocols were not always followed in practice.
It's report says the ComCom had a "moderate level of maturity" with its security controls but that "the Commission's approach to determining the controls to be deployed and the implementation was in many cases largely informal."
KPMG continues, "No significant policy gaps were identified. The policy requirements, however, are not consistently translating into staff working practices.
It found a"lack of centralised and formal documentation for all key information management processes, in particular those associated with in-confidence information."
KPMG also found, "Expectations are not clear about sharing information with other agencies/bodies outside the commission, e.g. courts.
A number of its report's recommendations are redacted. Those made public include that the ComCom conduct an audit of where all of its sensitive data is located, and that "to ensure classification and data loss prevention is effective and that any risk assessment is robust, the Commission "should first document the locations of all in-confidence data".
The Commission should consider streamlining its data and document repositories and educate staff on information security issues, KPMG said.
Meanwhile, police say while the investigation into the October 2019 burglary is still open, it is no longer active.
The stolen equipment has not been recovered and the burglar has not been located.
Police remain open to receiving and investigating any new information on the case.
The Commission encourages any person who has information about the stolen computer equipment to contact the police or the Commission.