sb-nz logo
Story image

ComCom faces security breach from stolen computer equipment

08 Oct 2019

The Commerce Commission has released a statement saying it is working with Police and taking a range of other actions following the theft of computer equipment belonging to an external provider.

The Commission was informed last week that more than 200 meeting and interview transcripts across a range of the Commission’s work were contained on computer equipment stolen in a burglary.

The transcripts may date back to early 2016 and contain some confidential information businesses and individuals have provided the Commission.
The Commission’s own network and systems have not been breached.

The information potentially contained on the stolen computer equipment does not include any documents or general consumer complaints provided to the Commission.

Chief executive Adrienne Meikle says the Commission has been in close contact with Police and is confident that every possible action is being taken to locate and recover the stolen equipment.

“We are in the process of contacting those affected to discuss the details of the information potentially compromised.

“Some of the information is subject to a confidentiality order issued by the Commission under section 100 of the Commerce Act. This makes it a criminal offence for any person in possession of the devices or information from the devices to disclose or communicate it to anyone while the orders are in force. We are also exploring other potential legal avenues to help protect the confidentiality of the information,” Meikle says.

“We will also no longer be using the external provider. It was subject to contractual and confidentiality obligations to ensure that information was stored securely and deleted after use. The provider has informed us it did not meet these obligations.

Meikle adds, “While this breach has resulted from criminal activity and our provider failing to meet the obligations we placed on it, it is our job to keep sensitive information safe and we apologise unreservedly to those affected. We acknowledge the distress this incident may cause businesses and individuals who have provided information to us in confidence.”

Commission Chair Anna Rawlings says two separate independent reviews have been initiated in response to the security incident. In addition, the Commission will be contacting its third-party suppliers to seek assurances that they are meeting its expectations in relation to information handling and have systems and processes in place to protect its information.

“Information security is crucial to our role and it is vital that those who interact with us can be confident in our ability to protect confidential and commercially sensitive information. We have engaged Richard Fowler QC to undertake an independent review of the circumstances that led to this specific incident.

“Separately, we have also engaged KPMG to review our information handling processes, including third-party supplier engagements. These reviews will report directly to me and the Commission Board. We will make the findings public once we have considered them and any recommendations made,” says Rawlings.

In order to assist the Police investigation and in the interests of the parties potentially affected, the Commission will not be releasing further details about the burglary, the identity of the external provider or the exact nature of the information that may have been on the stolen equipment.

Any business or individual who has been interviewed by the Commission since 2016 and is concerned they may be affected can contact 0800 943 600 or contact@comcom.govt.nz.

Story image
APAC organisations struggle to find balance between digital adoption and cybersecurity
Organisations in the Asia Pacific (APAC) region are significantly concerned about security threats, but nevertheless are looking to advance operations through digital adoption.More
Link image
Data is an organisation's most significant asset - here's how to protect it
Data resilience strategies are becoming more crucial as more value is ascribed to a company's data. If it's not stored securely and cost-effectively, expect problems.More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Link image
Webcast series: The necessary tools to secure a remote workforce
Experts from across the A/NZ region discuss the best security practices in a remote working world - with sessions available on the first Thursday of every month.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More