In October 2019 the Commission experienced a security breach when an external service provider was burgled and their computer equipment was stolen.
The equipment contained a range of documents relating to the Commission’s work including confidential information provided to us by businesses and individuals. Further details can be found in the incident summary report and our media release of 8 October 2019.
The Commission engaged Richard Fowler QC and KPMG to undertake two independent reviews relating to the incident. The Fowler review looked at circumstances relating to the security incident while the KPMG review looked at the Commission’s broader information management and security. The Commission accepts the findings and recommendations from both reviews. We have taken a range of actions including embarking on a longer-term information management and security programme to help ensure that the public continues to have confidence in our ability to protect confidential and commercially sensitive information. Further details relating to the Commission’s response can be found in our media release of 5 August 2020 and the incident summary report. The reports from both reviews are available at the bottom of this page.
Orders to protect confidentiality of information
The Commission obtained an injunction from the High Court to help protect the confidentiality of information contained on stolen computer equipment belonging to one of its external providers.
The injunction is made against unknown persons who may at any stage possess information on or taken from the equipment. The injunction prohibits any person from dealing with the stolen information, including by copying, communicating or publishing it.
The High Court has also made orders suppressing information relating to the external service provider, the nature of the services provided by the provider to the Commission, and information about the burglary not disclosed by the Police.
Anyone failing to comply with these Court orders could be held in contempt of court.
In addition, some of the information on the stolen equipment is subject to a section 100 order issued by the Commission under the Commerce Act. This makes it a criminal offence for any person in possession of information on or from the equipment to disclose or communicate it to anyone while the order is in force. The order covers information about open Commission matters under the Commerce Act and the Credit Contracts and Consumer Finance Act. The order is unable to cover the Fair Trading Act and closed matters. However, all matters are subject to the Court order.
Both orders are in force until further notice.
The Police have advised the Commission that while the investigation is still open it is no longer active. The stolen equipment has not been recovered and the burglar has not been located. We are confident that they have done everything they can. Police remain open to receiving and investigating any new information on the case.
The Commission encourages any person who has information about the stolen computer equipment to contact the Police or the Commission.