DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NZ: Privacy breach on 9000 ACC claims (updated)

Posted on March 12, 2012 by Dissent

Phil Kitchin reports on a breach involving sensitive personal information in New Zealand:

Private details of more than 9000 ACC claims – some featuring well-known people – have been emailed to a person who should not have received them, in what is being described as one of the worst privacy breaches in New Zealand history.

The details included personal information on nearly 250 clients from ACC’s most secure unit – the sensitive claims unit. Full names, the nature of each claim and dispute, and individual claim numbers were among the information revealed.

For those who, like me, don’t recognize the acronym, ACC’s website describes them:

The Accident Compensation Corporation (ACC) provides comprehensive, no-fault personal injury cover for all New Zealand residents and visitors to New Zealand.

Not surprisingly, they issue press releases. But there has been no statement about this incident, despite having reportedly been alerted to it in December. According to Kitchin:

Senior management at ACC were told three months ago that they had possibly made the biggest privacy breach in New Zealand history, but they have made no effort to investigate or contain the breach with the recipient.

Some of the names in the huge files were public figures, the recipient said, and they also included victims of violent and sexual crimes. Without going through all the files, the recipient recognised at least 10 people on the lists.

The sensitive claims unit is a special unit containing ACC’s most sensitive claimants, including sexual abuse and rape victims.

Not only did ACC allegedly not investigate the breach nor notify those whose private details were exposed, but this was not a single breach/disclosure:

The same details also appear to have been sent to more than 50 ACC managers, most of them not from the sensitive claims unit, raising questions about the security of information supplied to the unit.

Personal information held by the unit is not supposed to be divulged to anyone outside the unit without the permission of the client.

New Zealand currently has no mandatory breach notification law.

So… what will it take to get New Zealand off the dime to require breach notification?

Read more on Stuff.

Update:  There have been dozens of news reports on this breach since Kitchin’s article first appeared.  The ACC has apologized for the breach.  Significantly, media coverage now indicates that the compromised information was confined to names, record (claim) numbers and branches involved. No medical details were involved.  So how bad was this breach really? It seems that all that would have been revealed is that someone had filed a claim with the sensitive claims unit.  While I grant you that’s not a good thing, it certainly doesn’t sound as awful as the initial impressions.

Category: Breach IncidentsExposureInsiderMiscellaneousNon-U.S.Of Note

Post navigation

← Symantec Admit Recent Anonymous Leak is Authentic
Impairment Resources files for bankruptcy after data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.