The Privacy Commissioner is calling the Kiwibank transaction history breach 'significant' because of the numbers of customers and the information that was released.
Photo: RNZ / Cole Eastham-Farrelly
Kiwibank is investigating how it sent 4200 customers an email or online bank statement with their own account number, name and address, but another person's transaction history.
The commissioner, John Edwards, said some people will be identifiable by the statements and information sent.
"We generally have an expectation that our financial records will be kept private and the banking relationship is one of high expectation of confidence so to get this so wrong is a pretty serious matter.
Anyone affected had a right to complain to the commission, he said.
"If any of the 4000 or so people whose statements have been disclosed to the wrong person suffers some adverse consequence because of that they can come to us and maybe we can help."
Kiwibank is engaging with the commissioner's office, he said, and is in the early stages of finding out how the error happened.
Privacy Commissioner John Edwards. Photo: Supplied / Office of the Privacy Commissioner
"What we have seen is that they are taking it pretty seriously and getting in touch with all the affected people trying to provide them with support and assurance that their information is now safe.
"They are also asking people who have mistakenly received the wrong information to destroy it.
"It's an uncomfortable feeling for a lot of people to think that their transaction information could be with somebody who might mean some mischief - who could post it online or highlight items of interest that they've seen and use it to further intrude on the privacy or embarrass or shame people."
He understands each case was "one-to-one", where an individual received one other person's transaction history.
"If I'm right about that it does reduce the impact a little bit - it's not like everybody is getting everybody's transaction information."
Kiwibank has declined an interview with RNZ, but in yesterday's statement it said it was writing to customers whose transaction history may have been shared with the wrong person to apologise for the error and outline steps it had taken taken to protect their transaction history.
"We believe the impact on these customers is low, but we will work with them to address any concerns they have," the statement said.
