The FMA has apologised for a privacy breach that it said meant complaints documents it received between 2015 and 2017 were potentially accessible via internet searches.
FMA Chief Executive, Rob Everett, said the issue was rectified immediately when the regulator became aware of it, and reassured the public that any information provided to the FMA was now held confidentially.
It confirmed it has identified six cases where sensitive personal information provided to the regulator may have been accessed.
The people involved have been contacted by the FMA to advise them of the issue and any further steps they should take to protect their information, the regulator confirmed.
“We apologise to those people who supplied us with information and also to the wider public for this error. Their trust and confidence is critical to us,” said Everett.
A preliminary review has identified 27 instances where documents that supported complaints were accessed by internet searches. The documents were inadvertently uploaded to a portal on the FMA website. Of these, six contained sensitive personal information such as financial information. The remaining documents were either already publicly available or did not include any sensitive personal information.
The FMA stated when it first learned of the issue following a media inquiry on 21 October, it immediately shut down its website to ensure all information was protected. The website was restored on 23 October once the FMA had confirmed no further confidential information was at risk.
“We are working hard to ensure we get to the bottom of the issue.”
“Our immediate focus was to ensure our systems were secure and to protect people’s information,” said Everett.
“We have reviewed what files were uploaded in this way, what information they contained and contacted those people whose sensitive personal information may have been accessed. We are working hard to ensure we get to the bottom of the issue,” he added.
The issue relates to documents that were provided to the FMA several years ago, and the FMA is still investigating the circumstances. However, an initial review indicates that information supplied through an online complaints form between 2015 and 2017 flowed into a folder holding information to be uploaded to the FMA website.
At no point was the information ever linked to public content on the FMA website, nor could it be located by browsing the website, the regulator stated.
It added that it has worked closely with the relevant government agencies and departments, and has engaged KPMG to assist in its investigations into the cause and extent of the incident.
Everett said a full review of the issue would be conducted by an independent external party and as a precautionary step, the regulator has removed the ability to upload complaints information via the website.