DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NZ: Privacy breach on 9000 ACC claims (updated)

Posted on March 12, 2012 by Dissent

Phil Kitchin reports on a breach involving sensitive personal information in New Zealand:

Private details of more than 9000 ACC claims – some featuring well-known people – have been emailed to a person who should not have received them, in what is being described as one of the worst privacy breaches in New Zealand history.

The details included personal information on nearly 250 clients from ACC’s most secure unit – the sensitive claims unit. Full names, the nature of each claim and dispute, and individual claim numbers were among the information revealed.

For those who, like me, don’t recognize the acronym, ACC’s website describes them:

The Accident Compensation Corporation (ACC) provides comprehensive, no-fault personal injury cover for all New Zealand residents and visitors to New Zealand.

Not surprisingly, they issue press releases. But there has been no statement about this incident, despite having reportedly been alerted to it in December. According to Kitchin:

Senior management at ACC were told three months ago that they had possibly made the biggest privacy breach in New Zealand history, but they have made no effort to investigate or contain the breach with the recipient.

Some of the names in the huge files were public figures, the recipient said, and they also included victims of violent and sexual crimes. Without going through all the files, the recipient recognised at least 10 people on the lists.

The sensitive claims unit is a special unit containing ACC’s most sensitive claimants, including sexual abuse and rape victims.

Not only did ACC allegedly not investigate the breach nor notify those whose private details were exposed, but this was not a single breach/disclosure:

The same details also appear to have been sent to more than 50 ACC managers, most of them not from the sensitive claims unit, raising questions about the security of information supplied to the unit.

Personal information held by the unit is not supposed to be divulged to anyone outside the unit without the permission of the client.

New Zealand currently has no mandatory breach notification law.

So… what will it take to get New Zealand off the dime to require breach notification?

Read more on Stuff.

Update:  There have been dozens of news reports on this breach since Kitchin’s article first appeared.  The ACC has apologized for the breach.  Significantly, media coverage now indicates that the compromised information was confined to names, record (claim) numbers and branches involved. No medical details were involved.  So how bad was this breach really? It seems that all that would have been revealed is that someone had filed a claim with the sensitive claims unit.  While I grant you that’s not a good thing, it certainly doesn’t sound as awful as the initial impressions.

Category: Breach IncidentsExposureInsiderMiscellaneousNon-U.S.Of Note

Post navigation

← Symantec Admit Recent Anonymous Leak is Authentic
Impairment Resources files for bankruptcy after data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.