FMA apologises for privacy breach
MR No. 2019 – 58
7 November 2019
The FMA today apologised for a privacy breach that meant complaints documents sent to the regulator between 2015 and 2017 were potentially accessible via internet searches.
FMA Chief Executive Rob Everett said the issue was rectified immediately when the regulator became aware of it, and reassured the public that any information provided to the FMA was now held confidentially.
The FMA has identified six cases where sensitive personal information provided to the regulator may have been accessed.
The FMA has contacted the people involved to advise them of the issue and any further steps they should take to protect their information.
A preliminary review has identified 27 instances where documents that supported complaints were accessed by internet searches. The documents were inadvertently uploaded to a portal on the FMA website. Of these, six contained sensitive personal information such as financial information. The remaining documents were either already publicly available or did not include any sensitive personal information.
“We apologise to those people who supplied us with information and also to the wider public for this error. Their trust and confidence is critical to us,” said Mr Everett.
The FMA first learned of the issue following a media inquiry on 21 October. The regulator immediately shut down its website to ensure all information was protected. The website was restored on 23 October once the FMA had confirmed no further confidential information was at risk.
“Our immediate focus was to ensure our systems were secure and to protect people’s information,” said Mr Everett.
“We have reviewed what files were uploaded in this way, what information they contained and contacted those people whose sensitive personal information may have been accessed.
“We are working hard to ensure we get to the bottom of the issue.”
The issue relates to documents that were provided to the FMA several years ago, and the FMA is still investigating the circumstances. However, an initial review indicates that information supplied through an online complaints form between 2015 and 2017 flowed into a folder holding information to be uploaded to the FMA website.
At no point was the information ever linked to public content on the FMA website, nor could it be located by browsing the website.
All but two of the documents were accessed following a change in automated search algorithms on 30 September 2019. The FMA believes this is related to ordinary enhancements to search engine algorithms, which took place around that time.
The FMA has worked closely with the relevant government agencies and departments, and has engaged KPMG to assist in its investigations into the cause and extent of the incident.
Mr Everett said a full review of the issue would be conducted by an independent external party.
As a precautionary step, the FMA has removed the ability to upload complaints information via the website.
Anyone with questions about information they have provided to the FMA should contact the regulator.