8 Oct 2019

Stolen computer with Commerce Commission info not password protected

6:33 pm on 8 October 2019

The Commerce Commission says computer equipment without password protection has been stolen from one of it's contractor's homes.

No caption

Commerce Commission chair Anna Rawlings, left, and chief executive Adrienne Meikle at a media conference to discuss the implications of the stolen computer. Photo: RNZ / Hamish Cardwell

The consumer watchdog has launched two independent inquiries, and the police are investigating, after the equipment was taken in a burglary last week.

The Commission says the equipment contained hundreds of meeting and interview transcripts dating back to early 2016.

Chair Anna Rawlings said the contractor failed her obligation to keep information safe and she has been dropped.

"I would expect password protection on devices that are holding commission information.

"We had expectations of that provider to use [the information] to provide services to us, and then dispose or destroy or delete that information."

She said there was no indication any of the information has been released online.

Ms Rawlings said she was aware two other government agencies also used the same provider and understood they knew about the burglary.

The equipment does not include any documents or general consumer complaints provided to the Commission, and its own networks and systems have not been breached, it said.

Commission chief executive Adrienne Meikle said it was working with police and was contacting those affected.

"Some of the information is subject to a confidentiality order issued by the Commission under section 100 of the Commerce Act.

"This makes it a criminal offence for any person in possession of the devices or information from the devices to disclose or communicate it to anyone while the orders are in force. We are also exploring other potential legal avenues to help protect the confidentiality of the information," Ms Meikle said.

Ms Rawlings said Richard Fowler QC would do one review into the circumstances that led to the theft.

She said KPMG would also review the commission's information handling processes, including third-party supplier engagements.

"We will make the findings public once we have considered them and any recommendations made."

Anyone concerned they might be affected should contact the commission, Ms Rawlings said.

The police said in a statement a number of items of electronic computer equipment were taken.

They said they would not provide any more information at this time.

The commission said it would not release any more details about the burglary, the identity of the external provider or the exact nature of the information that may have been on the stolen equipment.